diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0e99b2fc..b5982397 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,8 +10,8 @@ on: env: # Common versions - GO_VERSION: '1.20' - GOLANGCI_VERSION: 'v1.53.3' + GO_VERSION: '1.21' + GOLANGCI_VERSION: 'v1.61.0' DOCKER_BUILDX_VERSION: 'v0.8.2' # Common users. We can't run a step 'if secrets.XXX != ""' but we can run a diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index c55c2181..3601e923 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -8,7 +8,7 @@ jobs: e2e: uses: upbound/uptest/.github/workflows/pr-comment-trigger.yml@main with: - go-version: '1.20' + go-version: '1.21' secrets: UPTEST_CLOUD_CREDENTIALS: "not used" UPTEST_DATASOURCE: ${{ secrets.UPTEST_DATASOURCE }} diff --git a/.gitignore b/.gitignore index d4883310..ed02a6fa 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ kubeconfig +vault-auto-unseal-keys.yaml /.cache /.work diff --git a/.gitmodules b/.gitmodules index c2fad470..8f84209c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ [submodule "build"] path = build - url = https://github.com/upbound/build + url = https://github.com/crossplane/build diff --git a/.golangci.yml b/.golangci.yml index bf4c47c0..de6b4e16 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -4,13 +4,11 @@ run: timeout: 60m - show-stats: true concurrency: 3 output: - # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number" - format: colored-line-number print-linter-name: true + show-stats: true linters-settings: errcheck: @@ -108,11 +106,12 @@ linters-settings: linters: enable: - - megacheck + - gosimple + - staticcheck + - unused - govet - gocyclo - gocritic - - interfacer - goconst - goimports - gofmt # We enable this as well as goimports for its simplify mode. diff --git a/Makefile b/Makefile index fcd1c962..af8cd7b4 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ export TERRAFORM_VERSION := 1.5.5 export TERRAFORM_PROVIDER_SOURCE ?= hashicorp/vault export TERRAFORM_PROVIDER_REPO ?= https://github.com/hashicorp/terraform-provider-vault -export TERRAFORM_PROVIDER_VERSION ?= 3.25.0 +export TERRAFORM_PROVIDER_VERSION ?= 4.4.0 export TERRAFORM_PROVIDER_DOWNLOAD_NAME ?= terraform-provider-vault export TERRAFORM_DOCS_PATH ?= website/docs/r @@ -37,7 +37,8 @@ NPROCS ?= 1 # to half the number of CPU cores. GO_TEST_PARALLEL := $(shell echo $$(( $(NPROCS) / 2 ))) -GO_REQUIRED_VERSION ?= 1.20 +GO_REQUIRED_VERSION ?= 1.21 +GOLANGCILINT_VERSION ?= 1.61.0 GO_STATIC_PACKAGES = $(GO_PROJECT)/cmd/provider $(GO_PROJECT)/cmd/generator GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.Version=$(VERSION) GO_SUBDIRS += cmd internal apis @@ -93,27 +94,7 @@ fallthrough: submodules @make # ==================================================================================== -# Setup Terraform for fetching provider schema -TERRAFORM := $(TOOLS_HOST_DIR)/terraform-$(TERRAFORM_VERSION) -TERRAFORM_WORKDIR := $(WORK_DIR)/terraform -TERRAFORM_PROVIDER_SCHEMA := config/schema.json - -$(TERRAFORM): - @$(INFO) installing terraform $(HOSTOS)-$(HOSTARCH) - @mkdir -p $(TOOLS_HOST_DIR)/tmp-terraform - @curl -fsSL https://releases.hashicorp.com/terraform/$(TERRAFORM_VERSION)/terraform_$(TERRAFORM_VERSION)_$(SAFEHOST_PLATFORM).zip -o $(TOOLS_HOST_DIR)/tmp-terraform/terraform.zip - @unzip $(TOOLS_HOST_DIR)/tmp-terraform/terraform.zip -d $(TOOLS_HOST_DIR)/tmp-terraform - @mv $(TOOLS_HOST_DIR)/tmp-terraform/terraform $(TERRAFORM) - @rm -fr $(TOOLS_HOST_DIR)/tmp-terraform - @$(OK) installing terraform $(HOSTOS)-$(HOSTARCH) - -$(TERRAFORM_PROVIDER_SCHEMA): $(TERRAFORM) - @$(INFO) generating provider schema for $(TERRAFORM_PROVIDER_SOURCE) $(TERRAFORM_PROVIDER_VERSION) - @mkdir -p $(TERRAFORM_WORKDIR) - @echo '{"terraform":[{"required_providers":[{"provider":{"source":"'"$(TERRAFORM_PROVIDER_SOURCE)"'","version":"'"$(TERRAFORM_PROVIDER_VERSION)"'"}}],"required_version":"'"$(TERRAFORM_VERSION)"'"}]}' > $(TERRAFORM_WORKDIR)/main.tf.json - @$(TERRAFORM) -chdir=$(TERRAFORM_WORKDIR) init > $(TERRAFORM_WORKDIR)/terraform-logs.txt 2>&1 - @$(TERRAFORM) -chdir=$(TERRAFORM_WORKDIR) providers schema -json=true > $(TERRAFORM_PROVIDER_SCHEMA) 2>> $(TERRAFORM_WORKDIR)/terraform-logs.txt - @$(OK) generating provider schema for $(TERRAFORM_PROVIDER_SOURCE) $(TERRAFORM_PROVIDER_VERSION) +# Download provider's documentation pull-docs: @if [ ! -d "$(WORK_DIR)/$(TERRAFORM_PROVIDER_SOURCE)" ]; then \ @@ -122,9 +103,9 @@ pull-docs: fi @git -C "$(WORK_DIR)/$(TERRAFORM_PROVIDER_SOURCE)" sparse-checkout set "$(TERRAFORM_DOCS_PATH)" -generate.init: $(TERRAFORM_PROVIDER_SCHEMA) pull-docs +generate.init: pull-docs -.PHONY: $(TERRAFORM_PROVIDER_SCHEMA) pull-docs +.PHONY: pull-docs # ==================================================================================== # Targets @@ -161,6 +142,7 @@ run: go.build # End to End Testing CROSSPLANE_NAMESPACE = upbound-system -include build/makelib/local.xpkg.mk +-include build/makelib/local.mk -include build/makelib/controlplane.mk # This target requires the following environment @@ -181,7 +163,14 @@ local-deploy: build controlplane.up local.xpkg.deploy.provider.$(PROJECT_NAME) e2e: build controlplane.up local-deploy uptest -.PHONY: uptest e2e cobertura submodules fallthrough run crds.clean +vault.uninstall: + @$(INFO) uninstalling vault + helm uninstall vault -n vault + @$(KUBECTL) delete pvc -n vault --all + @$(KUBECTL) delete secret vault-auto-unseal-keys --ignore-not-found + @$(OK) uninstalled vault + +.PHONY: uptest e2e cobertura submodules fallthrough run crds.clean vault.uninstall # ==================================================================================== # Special Targets diff --git a/README.md b/README.md index 48a00faf..0cd550c7 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Provider Vault `provider-vault` is a [Crossplane](https://crossplane.io/) provider that -is built using [Upjet](https://github.com/upbound/upjet) code +is built using [Upjet](https://github.com/crossplane/upjet) code generation tools and exposes XRM-conformant managed resources for the Vault API. @@ -111,27 +111,34 @@ You can see the API reference [here](https://doc.crds.dev/github.com/upbound/pro ## Developing +Initialize the repository with +```bash +make submodules +``` + Run code-generation pipeline: -```console -go run cmd/generator/main.go "$PWD" +```bash +make generate ``` Run against a Kubernetes cluster: -```console +```bash make run ``` Build, push, and install: -```console +```bash make all ``` -Build binary: +Build binary, image and Crossplane package (xpkg): -```console +```bash make build +# to build all architectures / platforms, use: +make -j2 build.all ``` ## Report a Bug diff --git a/apis/ad/v1alpha1/zz_generated.conversion_hubs.go b/apis/ad/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..37ddff1a --- /dev/null +++ b/apis/ad/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,13 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *SecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretRole) Hub() {} diff --git a/apis/ad/v1alpha1/zz_generated.deepcopy.go b/apis/ad/v1alpha1/zz_generated.deepcopy.go index bb0e6285..3491e0a6 100644 --- a/apis/ad/v1alpha1/zz_generated.deepcopy.go +++ b/apis/ad/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -59,6 +58,7 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + out.BindpassSecretRef = in.BindpassSecretRef if in.CaseSensitiveNames != nil { in, out := &in.CaseSensitiveNames, &out.CaseSensitiveNames *out = new(bool) @@ -69,6 +69,16 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.ClientTLSCertSecretRef != nil { + in, out := &in.ClientTLSCertSecretRef, &out.ClientTLSCertSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.ClientTLSKeySecretRef != nil { + in, out := &in.ClientTLSKeySecretRef, &out.ClientTLSKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.DefaultLeaseTTLSeconds != nil { in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds *out = new(float64) @@ -94,11 +104,6 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(bool) **out = **in } - if in.Formatter != nil { - in, out := &in.Formatter, &out.Formatter - *out = new(string) - **out = **in - } if in.Groupattr != nil { in, out := &in.Groupattr, &out.Groupattr *out = new(string) @@ -124,11 +129,6 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(float64) **out = **in } - if in.Length != nil { - in, out := &in.Length, &out.Length - *out = new(float64) - **out = **in - } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -306,11 +306,6 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(bool) **out = **in } - if in.Formatter != nil { - in, out := &in.Formatter, &out.Formatter - *out = new(string) - **out = **in - } if in.Groupattr != nil { in, out := &in.Groupattr, &out.Groupattr *out = new(string) @@ -341,11 +336,6 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(float64) **out = **in } - if in.Length != nil { - in, out := &in.Length, &out.Length - *out = new(float64) - **out = **in - } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -502,11 +492,6 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(bool) **out = **in } - if in.Formatter != nil { - in, out := &in.Formatter, &out.Formatter - *out = new(string) - **out = **in - } if in.Groupattr != nil { in, out := &in.Groupattr, &out.Groupattr *out = new(string) @@ -532,11 +517,6 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(float64) **out = **in } - if in.Length != nil { - in, out := &in.Length, &out.Length - *out = new(float64) - **out = **in - } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -699,6 +679,16 @@ func (in *SecretRoleInitParameters) DeepCopyInto(out *SecretRoleInitParameters) *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -826,6 +816,16 @@ func (in *SecretRoleParameters) DeepCopyInto(out *SecretRoleParameters) { *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) diff --git a/apis/ad/v1alpha1/zz_generated.managed.go b/apis/ad/v1alpha1/zz_generated.managed.go index 3577b829..8824bcb4 100644 --- a/apis/ad/v1alpha1/zz_generated.managed.go +++ b/apis/ad/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *SecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *SecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SecretRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretRole. func (mg *SecretRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SecretRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretRole. func (mg *SecretRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/ad/v1alpha1/zz_generated.resolvers.go b/apis/ad/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..3ae7509f --- /dev/null +++ b/apis/ad/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,56 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretRole. +func (mg *SecretRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("backend", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("backend", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/ad/v1alpha1/zz_generated_terraformed.go b/apis/ad/v1alpha1/zz_secretbackend_terraformed.go similarity index 50% rename from apis/ad/v1alpha1/zz_generated_terraformed.go rename to apis/ad/v1alpha1/zz_secretbackend_terraformed.go index 3eec8e86..7aa07639 100755 --- a/apis/ad/v1alpha1/zz_generated_terraformed.go +++ b/apis/ad/v1alpha1/zz_secretbackend_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this SecretBackend @@ -20,7 +21,7 @@ func (mg *SecretBackend) GetTerraformResourceType() string { // GetConnectionDetailsMapping for this SecretBackend func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"bindpass": "spec.forProvider.bindpassSecretRef", "client_tls_cert": "spec.forProvider.clientTlsCertSecretRef", "client_tls_key": "spec.forProvider.clientTlsKeySecretRef"} + return map[string]string{"bindpass": "bindpassSecretRef", "client_tls_cert": "clientTlsCertSecretRef", "client_tls_key": "clientTlsKeySecretRef"} } // GetObservation of this SecretBackend @@ -79,94 +80,40 @@ func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } -// LateInitialize this SecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretRole -func (mg *SecretRole) GetTerraformResourceType() string { - return "vault_ad_secret_role" -} - -// GetConnectionDetailsMapping for this SecretRole -func (tr *SecretRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretRole -func (tr *SecretRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretRole -func (tr *SecretRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() if err != nil { - return err + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretRole -func (tr *SecretRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" + if !shouldMergeInitProvider { + return params, nil } - return *tr.Status.AtProvider.ID -} -// GetParameters of this SecretRole -func (tr *SecretRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + initParams, err := tr.GetInitParameters() if err != nil { - return nil, err + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} -// SetParameters for this SecretRole -func (tr *SecretRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) if err != nil { - return err + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} -// GetInitParameters of this SecretRole -func (tr *SecretRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) + return params, nil } -// LateInitialize this SecretRole using its observed tfState. +// LateInitialize this SecretBackend using its observed tfState. // returns True if there are any spec changes for the resource. -func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { - params := &SecretRoleParameters{} +func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendParameters{} if err := json.TFParser.Unmarshal(attrs, params); err != nil { return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") } @@ -177,6 +124,6 @@ func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { } // GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretRole) GetTerraformSchemaVersion() int { - return 0 +func (tr *SecretBackend) GetTerraformSchemaVersion() int { + return 1 } diff --git a/apis/ad/v1alpha1/zz_secretbackend_types.go b/apis/ad/v1alpha1/zz_secretbackend_types.go index 2a2b764a..a9cf6a84 100755 --- a/apis/ad/v1alpha1/zz_secretbackend_types.go +++ b/apis/ad/v1alpha1/zz_secretbackend_types.go @@ -29,6 +29,10 @@ type SecretBackendInitParameters struct { // Distinguished name of object to bind when performing user and group search. Binddn *string `json:"binddn,omitempty" tf:"binddn,omitempty"` + // Password to use along with binddn when performing user search. + // LDAP password for searching for the user DN. + BindpassSecretRef v1.SecretKeySelector `json:"bindpassSecretRef" tf:"-"` + // If set, user and group names assigned to policies within the // backend will be case sensitive. Otherwise, names will be normalized to lower case. // If true, case sensitivity will be used when comparing usernames and groups for matching policies. @@ -39,6 +43,14 @@ type SecretBackendInitParameters struct { // CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"` + // Client certificate to provide to the LDAP server, must be x509 PEM encoded. + // Client certificate to provide to the LDAP server, must be x509 PEM encoded. + ClientTLSCertSecretRef *v1.SecretKeySelector `json:"clientTlsCertSecretRef,omitempty" tf:"-"` + + // Client certificate key to provide to the LDAP server, must be x509 PEM encoded. + // Client certificate key to provide to the LDAP server, must be x509 PEM encoded. + ClientTLSKeySecretRef *v1.SecretKeySelector `json:"clientTlsKeySecretRef,omitempty" tf:"-"` + // Default lease duration for secrets in seconds. // Default lease duration for secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` @@ -61,10 +73,6 @@ type SecretBackendInitParameters struct { // Use anonymous bind to discover the bind DN of a user. Discoverdn *bool `json:"discoverdn,omitempty" tf:"discoverdn,omitempty"` - // Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - // Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - Formatter *string `json:"formatter,omitempty" tf:"formatter,omitempty"` - // LDAP attribute to follow on objects returned by in order to enumerate // user group membership. Examples: cn or memberOf, etc. Defaults to cn. // LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn @@ -89,11 +97,6 @@ type SecretBackendInitParameters struct { // The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band. LastRotationTolerance *float64 `json:"lastRotationTolerance,omitempty" tf:"last_rotation_tolerance,omitempty"` - // Deprecated use password_policy. The desired length of passwords that Vault generates. - // Mutually exclusive with - // The desired length of passwords that Vault generates. - Length *float64 `json:"length,omitempty" tf:"length,omitempty"` - // Mark the secrets engine as local-only. Local engines are not replicated or removed by // replication.Tolerance duration to use when checking the last rotation time. // Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. @@ -114,7 +117,7 @@ type SecretBackendInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // 1.11+ + // Name of the password policy to use to generate passwords. // Name of the password policy to use to generate passwords. PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"` @@ -221,10 +224,6 @@ type SecretBackendObservation struct { // Use anonymous bind to discover the bind DN of a user. Discoverdn *bool `json:"discoverdn,omitempty" tf:"discoverdn,omitempty"` - // Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - // Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - Formatter *string `json:"formatter,omitempty" tf:"formatter,omitempty"` - // LDAP attribute to follow on objects returned by in order to enumerate // user group membership. Examples: cn or memberOf, etc. Defaults to cn. // LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn @@ -251,11 +250,6 @@ type SecretBackendObservation struct { // The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band. LastRotationTolerance *float64 `json:"lastRotationTolerance,omitempty" tf:"last_rotation_tolerance,omitempty"` - // Deprecated use password_policy. The desired length of passwords that Vault generates. - // Mutually exclusive with - // The desired length of passwords that Vault generates. - Length *float64 `json:"length,omitempty" tf:"length,omitempty"` - // Mark the secrets engine as local-only. Local engines are not replicated or removed by // replication.Tolerance duration to use when checking the last rotation time. // Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. @@ -276,7 +270,7 @@ type SecretBackendObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // 1.11+ + // Name of the password policy to use to generate passwords. // Name of the password policy to use to generate passwords. PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"` @@ -408,11 +402,6 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional Discoverdn *bool `json:"discoverdn,omitempty" tf:"discoverdn,omitempty"` - // Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - // Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - // +kubebuilder:validation:Optional - Formatter *string `json:"formatter,omitempty" tf:"formatter,omitempty"` - // LDAP attribute to follow on objects returned by in order to enumerate // user group membership. Examples: cn or memberOf, etc. Defaults to cn. // LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn @@ -442,12 +431,6 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional LastRotationTolerance *float64 `json:"lastRotationTolerance,omitempty" tf:"last_rotation_tolerance,omitempty"` - // Deprecated use password_policy. The desired length of passwords that Vault generates. - // Mutually exclusive with - // The desired length of passwords that Vault generates. - // +kubebuilder:validation:Optional - Length *float64 `json:"length,omitempty" tf:"length,omitempty"` - // Mark the secrets engine as local-only. Local engines are not replicated or removed by // replication.Tolerance duration to use when checking the last rotation time. // Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. @@ -472,7 +455,7 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // 1.11+ + // Name of the password policy to use to generate passwords. // Name of the password policy to use to generate passwords. // +kubebuilder:validation:Optional PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"` @@ -547,9 +530,8 @@ type SecretBackendParameters struct { type SecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -568,19 +550,20 @@ type SecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackend is the Schema for the SecretBackends API. Creates an Active Directory secret backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.binddn) || has(self.initProvider.binddn)",message="binddn is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.bindpassSecretRef)",message="bindpassSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.binddn) || (has(self.initProvider) && has(self.initProvider.binddn))",message="spec.forProvider.binddn is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.bindpassSecretRef)",message="spec.forProvider.bindpassSecretRef is a required parameter" Spec SecretBackendSpec `json:"spec"` Status SecretBackendStatus `json:"status,omitempty"` } diff --git a/apis/ad/v1alpha1/zz_secretrole_terraformed.go b/apis/ad/v1alpha1/zz_secretrole_terraformed.go new file mode 100755 index 00000000..9f09d869 --- /dev/null +++ b/apis/ad/v1alpha1/zz_secretrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretRole +func (mg *SecretRole) GetTerraformResourceType() string { + return "vault_ad_secret_role" +} + +// GetConnectionDetailsMapping for this SecretRole +func (tr *SecretRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretRole +func (tr *SecretRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretRole +func (tr *SecretRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretRole +func (tr *SecretRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretRole +func (tr *SecretRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretRole +func (tr *SecretRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretRole +func (tr *SecretRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretRole +func (tr *SecretRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { + params := &SecretRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/ad/v1alpha1/zz_secretrole_types.go b/apis/ad/v1alpha1/zz_secretrole_types.go index 24e32cb5..39e2487b 100755 --- a/apis/ad/v1alpha1/zz_secretrole_types.go +++ b/apis/ad/v1alpha1/zz_secretrole_types.go @@ -18,8 +18,18 @@ type SecretRoleInitParameters struct { // The path the AD secret backend is mounted at, // with no leading or trailing /s. // The mount path for the AD backend. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/ad/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("backend",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in ad to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in ad to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -88,9 +98,19 @@ type SecretRoleParameters struct { // The path the AD secret backend is mounted at, // with no leading or trailing /s. // The mount path for the AD backend. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/ad/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("backend",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in ad to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in ad to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -122,9 +142,8 @@ type SecretRoleParameters struct { type SecretRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -143,20 +162,20 @@ type SecretRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretRole is the Schema for the SecretRoles API. Creates a role on the Active Directory Secret Backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.serviceAccountName) || has(self.initProvider.serviceAccountName)",message="serviceAccountName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || (has(self.initProvider) && has(self.initProvider.role))",message="spec.forProvider.role is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.serviceAccountName) || (has(self.initProvider) && has(self.initProvider.serviceAccountName))",message="spec.forProvider.serviceAccountName is a required parameter" Spec SecretRoleSpec `json:"spec"` Status SecretRoleStatus `json:"status,omitempty"` } diff --git a/apis/alicloud/v1alpha1/zz_generated_terraformed.go b/apis/alicloud/v1alpha1/zz_authbackendrole_terraformed.go similarity index 70% rename from apis/alicloud/v1alpha1/zz_generated_terraformed.go rename to apis/alicloud/v1alpha1/zz_authbackendrole_terraformed.go index 8585cd03..4edc1545 100755 --- a/apis/alicloud/v1alpha1/zz_generated_terraformed.go +++ b/apis/alicloud/v1alpha1/zz_authbackendrole_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this AuthBackendRole @@ -79,6 +80,36 @@ func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this AuthBackendRole using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/alicloud/v1alpha1/zz_authbackendrole_types.go b/apis/alicloud/v1alpha1/zz_authbackendrole_types.go index 6175260f..d70e2552 100755 --- a/apis/alicloud/v1alpha1/zz_authbackendrole_types.go +++ b/apis/alicloud/v1alpha1/zz_authbackendrole_types.go @@ -22,8 +22,18 @@ type AuthBackendRoleInitParameters struct { // Path to the mounted AliCloud auth backend. // Defaults to alicloud // Auth backend. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -40,6 +50,7 @@ type AuthBackendRoleInitParameters struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -74,6 +85,7 @@ type AuthBackendRoleInitParameters struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -119,6 +131,7 @@ type AuthBackendRoleObservation struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -153,6 +166,7 @@ type AuthBackendRoleObservation struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -179,9 +193,19 @@ type AuthBackendRoleParameters struct { // Path to the mounted AliCloud auth backend. // Defaults to alicloud // Auth backend. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -201,6 +225,7 @@ type AuthBackendRoleParameters struct { // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -241,6 +266,7 @@ type AuthBackendRoleParameters struct { // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -263,9 +289,8 @@ type AuthBackendRoleParameters struct { type AuthBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -284,19 +309,20 @@ type AuthBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRole is the Schema for the AuthBackendRoles API. Managing roles in an AliCloud auth backend in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.arn) || has(self.initProvider.arn)",message="arn is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.arn) || (has(self.initProvider) && has(self.initProvider.arn))",message="spec.forProvider.arn is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || (has(self.initProvider) && has(self.initProvider.role))",message="spec.forProvider.role is a required parameter" Spec AuthBackendRoleSpec `json:"spec"` Status AuthBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/alicloud/v1alpha1/zz_generated.conversion_hubs.go b/apis/alicloud/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..ee678741 --- /dev/null +++ b/apis/alicloud/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} diff --git a/apis/alicloud/v1alpha1/zz_generated.deepcopy.go b/apis/alicloud/v1alpha1/zz_generated.deepcopy.go index 811d680a..bbeb7492 100644 --- a/apis/alicloud/v1alpha1/zz_generated.deepcopy.go +++ b/apis/alicloud/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -53,6 +53,16 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -274,6 +284,16 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) diff --git a/apis/alicloud/v1alpha1/zz_generated.managed.go b/apis/alicloud/v1alpha1/zz_generated.managed.go index 836c358b..e2e30b5e 100644 --- a/apis/alicloud/v1alpha1/zz_generated.managed.go +++ b/apis/alicloud/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/alicloud/v1alpha1/zz_generated.resolvers.go b/apis/alicloud/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..01f01ac4 --- /dev/null +++ b/apis/alicloud/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,57 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/auth/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this AuthBackendRole. +func (mg *AuthBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/approle/v1alpha1/zz_authbackendlogin_terraformed.go b/apis/approle/v1alpha1/zz_authbackendlogin_terraformed.go new file mode 100755 index 00000000..bb2c6992 --- /dev/null +++ b/apis/approle/v1alpha1/zz_authbackendlogin_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendLogin +func (mg *AuthBackendLogin) GetTerraformResourceType() string { + return "vault_approle_auth_backend_login" +} + +// GetConnectionDetailsMapping for this AuthBackendLogin +func (tr *AuthBackendLogin) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"client_token": "status.atProvider.clientToken", "secret_id": "secretIdSecretRef"} +} + +// GetObservation of this AuthBackendLogin +func (tr *AuthBackendLogin) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendLogin +func (tr *AuthBackendLogin) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendLogin +func (tr *AuthBackendLogin) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendLogin +func (tr *AuthBackendLogin) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendLogin +func (tr *AuthBackendLogin) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendLogin +func (tr *AuthBackendLogin) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendLogin +func (tr *AuthBackendLogin) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendLogin using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendLogin) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendLoginParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendLogin) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/approle/v1alpha1/zz_authbackendlogin_types.go b/apis/approle/v1alpha1/zz_authbackendlogin_types.go index 61d6e81a..12e9129c 100755 --- a/apis/approle/v1alpha1/zz_authbackendlogin_types.go +++ b/apis/approle/v1alpha1/zz_authbackendlogin_types.go @@ -17,8 +17,18 @@ type AuthBackendLoginInitParameters struct { // The unique path of the Vault backend to log in with. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -28,7 +38,22 @@ type AuthBackendLoginInitParameters struct { // The ID of the role to log in with. // The RoleID to log in with. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/approle/v1alpha1.AuthBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("role_id",false) RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"` + + // Reference to a AuthBackendRole in approle to populate roleId. + // +kubebuilder:validation:Optional + RoleIDRef *v1.Reference `json:"roleIdRef,omitempty" tf:"-"` + + // Selector for a AuthBackendRole in approle to populate roleId. + // +kubebuilder:validation:Optional + RoleIDSelector *v1.Selector `json:"roleIdSelector,omitempty" tf:"-"` + + // The secret ID of the role to log in with. Required + // unless bind_secret_id is set to false on the role. + // The SecretID to log in with. + SecretIDSecretRef *v1.SecretKeySelector `json:"secretIdSecretRef,omitempty" tf:"-"` } type AuthBackendLoginObservation struct { @@ -52,6 +77,7 @@ type AuthBackendLoginObservation struct { // The metadata associated with the token. // Metadata associated with the token. + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // The namespace to provision the resource in. @@ -78,9 +104,19 @@ type AuthBackendLoginParameters struct { // The unique path of the Vault backend to log in with. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -91,9 +127,19 @@ type AuthBackendLoginParameters struct { // The ID of the role to log in with. // The RoleID to log in with. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/approle/v1alpha1.AuthBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("role_id",false) // +kubebuilder:validation:Optional RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"` + // Reference to a AuthBackendRole in approle to populate roleId. + // +kubebuilder:validation:Optional + RoleIDRef *v1.Reference `json:"roleIdRef,omitempty" tf:"-"` + + // Selector for a AuthBackendRole in approle to populate roleId. + // +kubebuilder:validation:Optional + RoleIDSelector *v1.Selector `json:"roleIdSelector,omitempty" tf:"-"` + // The secret ID of the role to log in with. Required // unless bind_secret_id is set to false on the role. // The SecretID to log in with. @@ -105,9 +151,8 @@ type AuthBackendLoginParameters struct { type AuthBackendLoginSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendLoginParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -126,20 +171,20 @@ type AuthBackendLoginStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendLogin is the Schema for the AuthBackendLogins API. Log into Vault using the AppRole auth backend. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendLogin struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleId) || has(self.initProvider.roleId)",message="roleId is a required parameter" - Spec AuthBackendLoginSpec `json:"spec"` - Status AuthBackendLoginStatus `json:"status,omitempty"` + Spec AuthBackendLoginSpec `json:"spec"` + Status AuthBackendLoginStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/approle/v1alpha1/zz_authbackendrole_terraformed.go b/apis/approle/v1alpha1/zz_authbackendrole_terraformed.go new file mode 100755 index 00000000..8bf7cff9 --- /dev/null +++ b/apis/approle/v1alpha1/zz_authbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole +func (mg *AuthBackendRole) GetTerraformResourceType() string { + return "vault_approle_auth_backend_role" +} + +// GetConnectionDetailsMapping for this AuthBackendRole +func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendRole +func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendRole +func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendRole +func (tr *AuthBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendRole +func (tr *AuthBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/approle/v1alpha1/zz_authbackendrole_types.go b/apis/approle/v1alpha1/zz_authbackendrole_types.go index 107dbef9..96ac6268 100755 --- a/apis/approle/v1alpha1/zz_authbackendrole_types.go +++ b/apis/approle/v1alpha1/zz_authbackendrole_types.go @@ -18,8 +18,18 @@ type AuthBackendRoleInitParameters struct { // The unique name of the auth backend to configure. // Defaults to approle. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Whether or not to require secret_id to be // presented when logging in using this AppRole. Defaults to true. // Whether or not to require secret_id to be present when logging in using this AppRole. @@ -44,6 +54,7 @@ type AuthBackendRoleInitParameters struct { // If set, // specifies blocks of IP addresses which can perform the login operation. // List of CIDR blocks that can log in using the AppRole. + // +listType=set SecretIDBoundCidrs []*string `json:"secretIdBoundCidrs,omitempty" tf:"secret_id_bound_cidrs,omitempty"` // The number of times any particular SecretID @@ -61,6 +72,7 @@ type AuthBackendRoleInitParameters struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -95,6 +107,7 @@ type AuthBackendRoleInitParameters struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -144,6 +157,7 @@ type AuthBackendRoleObservation struct { // If set, // specifies blocks of IP addresses which can perform the login operation. // List of CIDR blocks that can log in using the AppRole. + // +listType=set SecretIDBoundCidrs []*string `json:"secretIdBoundCidrs,omitempty" tf:"secret_id_bound_cidrs,omitempty"` // The number of times any particular SecretID @@ -161,6 +175,7 @@ type AuthBackendRoleObservation struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -195,6 +210,7 @@ type AuthBackendRoleObservation struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -216,9 +232,19 @@ type AuthBackendRoleParameters struct { // The unique name of the auth backend to configure. // Defaults to approle. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Whether or not to require secret_id to be // presented when logging in using this AppRole. Defaults to true. // Whether or not to require secret_id to be present when logging in using this AppRole. @@ -248,6 +274,7 @@ type AuthBackendRoleParameters struct { // specifies blocks of IP addresses which can perform the login operation. // List of CIDR blocks that can log in using the AppRole. // +kubebuilder:validation:Optional + // +listType=set SecretIDBoundCidrs []*string `json:"secretIdBoundCidrs,omitempty" tf:"secret_id_bound_cidrs,omitempty"` // The number of times any particular SecretID @@ -268,6 +295,7 @@ type AuthBackendRoleParameters struct { // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -308,6 +336,7 @@ type AuthBackendRoleParameters struct { // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -330,9 +359,8 @@ type AuthBackendRoleParameters struct { type AuthBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -351,18 +379,19 @@ type AuthBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRole is the Schema for the AuthBackendRoles API. Manages AppRole auth backend roles in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || (has(self.initProvider) && has(self.initProvider.roleName))",message="spec.forProvider.roleName is a required parameter" Spec AuthBackendRoleSpec `json:"spec"` Status AuthBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/approle/v1alpha1/zz_authbackendrolesecretid_terraformed.go b/apis/approle/v1alpha1/zz_authbackendrolesecretid_terraformed.go new file mode 100755 index 00000000..80ffca31 --- /dev/null +++ b/apis/approle/v1alpha1/zz_authbackendrolesecretid_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendRoleSecretID +func (mg *AuthBackendRoleSecretID) GetTerraformResourceType() string { + return "vault_approle_auth_backend_role_secret_id" +} + +// GetConnectionDetailsMapping for this AuthBackendRoleSecretID +func (tr *AuthBackendRoleSecretID) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"secret_id": "secretIdSecretRef", "wrapping_token": "status.atProvider.wrappingToken"} +} + +// GetObservation of this AuthBackendRoleSecretID +func (tr *AuthBackendRoleSecretID) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendRoleSecretID +func (tr *AuthBackendRoleSecretID) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendRoleSecretID +func (tr *AuthBackendRoleSecretID) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendRoleSecretID +func (tr *AuthBackendRoleSecretID) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendRoleSecretID +func (tr *AuthBackendRoleSecretID) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendRoleSecretID +func (tr *AuthBackendRoleSecretID) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendRoleSecretID +func (tr *AuthBackendRoleSecretID) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendRoleSecretID using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendRoleSecretID) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendRoleSecretIDParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendRoleSecretID) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/approle/v1alpha1/zz_authbackendrolesecretid_types.go b/apis/approle/v1alpha1/zz_authbackendrolesecretid_types.go index dc2d8729..b3f080c3 100755 --- a/apis/approle/v1alpha1/zz_authbackendrolesecretid_types.go +++ b/apis/approle/v1alpha1/zz_authbackendrolesecretid_types.go @@ -16,11 +16,22 @@ import ( type AuthBackendRoleSecretIDInitParameters struct { // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set, specifies blocks of IP addresses which can // perform the login operation using this SecretID. // List of CIDR blocks that can log in using the SecretID. + // +listType=set CidrList []*string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"` // A JSON-encoded string containing metadata in @@ -37,8 +48,23 @@ type AuthBackendRoleSecretIDInitParameters struct { // The name of the role to create the SecretID for. // Name of the role. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/approle/v1alpha1.AuthBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("role_name",false) RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` + // Reference to a AuthBackendRole in approle to populate roleName. + // +kubebuilder:validation:Optional + RoleNameRef *v1.Reference `json:"roleNameRef,omitempty" tf:"-"` + + // Selector for a AuthBackendRole in approle to populate roleName. + // +kubebuilder:validation:Optional + RoleNameSelector *v1.Selector `json:"roleNameSelector,omitempty" tf:"-"` + + // The SecretID to be created. If set, uses "Push" + // mode. Defaults to Vault auto-generating SecretIDs. + // The SecretID to be managed. If not specified, Vault auto-generates one. + SecretIDSecretRef *v1.SecretKeySelector `json:"secretIdSecretRef,omitempty" tf:"-"` + // Set to true to use the wrapped secret-id accessor as the resource ID. // If false (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or // invalidated through unwrapping. @@ -65,6 +91,7 @@ type AuthBackendRoleSecretIDObservation struct { // If set, specifies blocks of IP addresses which can // perform the login operation using this SecretID. // List of CIDR blocks that can log in using the SecretID. + // +listType=set CidrList []*string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -107,13 +134,24 @@ type AuthBackendRoleSecretIDObservation struct { type AuthBackendRoleSecretIDParameters struct { // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set, specifies blocks of IP addresses which can // perform the login operation using this SecretID. // List of CIDR blocks that can log in using the SecretID. // +kubebuilder:validation:Optional + // +listType=set CidrList []*string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"` // A JSON-encoded string containing metadata in @@ -132,9 +170,19 @@ type AuthBackendRoleSecretIDParameters struct { // The name of the role to create the SecretID for. // Name of the role. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/approle/v1alpha1.AuthBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("role_name",false) // +kubebuilder:validation:Optional RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` + // Reference to a AuthBackendRole in approle to populate roleName. + // +kubebuilder:validation:Optional + RoleNameRef *v1.Reference `json:"roleNameRef,omitempty" tf:"-"` + + // Selector for a AuthBackendRole in approle to populate roleName. + // +kubebuilder:validation:Optional + RoleNameSelector *v1.Selector `json:"roleNameSelector,omitempty" tf:"-"` + // The SecretID to be created. If set, uses "Push" // mode. Defaults to Vault auto-generating SecretIDs. // The SecretID to be managed. If not specified, Vault auto-generates one. @@ -161,9 +209,8 @@ type AuthBackendRoleSecretIDParameters struct { type AuthBackendRoleSecretIDSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleSecretIDParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -182,20 +229,20 @@ type AuthBackendRoleSecretIDStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRoleSecretID is the Schema for the AuthBackendRoleSecretIDs API. Manages AppRole auth backend role SecretIDs in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRoleSecretID struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter" - Spec AuthBackendRoleSecretIDSpec `json:"spec"` - Status AuthBackendRoleSecretIDStatus `json:"status,omitempty"` + Spec AuthBackendRoleSecretIDSpec `json:"spec"` + Status AuthBackendRoleSecretIDStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/approle/v1alpha1/zz_generated.conversion_hubs.go b/apis/approle/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..ada343fe --- /dev/null +++ b/apis/approle/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,16 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendLogin) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRoleSecretID) Hub() {} diff --git a/apis/approle/v1alpha1/zz_generated.deepcopy.go b/apis/approle/v1alpha1/zz_generated.deepcopy.go index cb611e91..43133416 100644 --- a/apis/approle/v1alpha1/zz_generated.deepcopy.go +++ b/apis/approle/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -49,6 +48,16 @@ func (in *AuthBackendLoginInitParameters) DeepCopyInto(out *AuthBackendLoginInit *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -59,6 +68,21 @@ func (in *AuthBackendLoginInitParameters) DeepCopyInto(out *AuthBackendLoginInit *out = new(string) **out = **in } + if in.RoleIDRef != nil { + in, out := &in.RoleIDRef, &out.RoleIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleIDSelector != nil { + in, out := &in.RoleIDSelector, &out.RoleIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.SecretIDSecretRef != nil { + in, out := &in.SecretIDSecretRef, &out.SecretIDSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendLoginInitParameters. @@ -139,7 +163,8 @@ func (in *AuthBackendLoginObservation) DeepCopyInto(out *AuthBackendLoginObserva if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -192,6 +217,16 @@ func (in *AuthBackendLoginParameters) DeepCopyInto(out *AuthBackendLoginParamete *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -202,6 +237,16 @@ func (in *AuthBackendLoginParameters) DeepCopyInto(out *AuthBackendLoginParamete *out = new(string) **out = **in } + if in.RoleIDRef != nil { + in, out := &in.RoleIDRef, &out.RoleIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleIDSelector != nil { + in, out := &in.RoleIDSelector, &out.RoleIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.SecretIDSecretRef != nil { in, out := &in.SecretIDSecretRef, &out.SecretIDSecretRef *out = new(v1.SecretKeySelector) @@ -289,6 +334,16 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BindSecretID != nil { in, out := &in.BindSecretID, &out.BindSecretID *out = new(bool) @@ -562,6 +617,16 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BindSecretID != nil { in, out := &in.BindSecretID, &out.BindSecretID *out = new(bool) @@ -707,6 +772,16 @@ func (in *AuthBackendRoleSecretIDInitParameters) DeepCopyInto(out *AuthBackendRo *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CidrList != nil { in, out := &in.CidrList, &out.CidrList *out = make([]*string, len(*in)) @@ -733,6 +808,21 @@ func (in *AuthBackendRoleSecretIDInitParameters) DeepCopyInto(out *AuthBackendRo *out = new(string) **out = **in } + if in.RoleNameRef != nil { + in, out := &in.RoleNameRef, &out.RoleNameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleNameSelector != nil { + in, out := &in.RoleNameSelector, &out.RoleNameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.SecretIDSecretRef != nil { + in, out := &in.SecretIDSecretRef, &out.SecretIDSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.WithWrappedAccessor != nil { in, out := &in.WithWrappedAccessor, &out.WithWrappedAccessor *out = new(bool) @@ -866,6 +956,16 @@ func (in *AuthBackendRoleSecretIDParameters) DeepCopyInto(out *AuthBackendRoleSe *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CidrList != nil { in, out := &in.CidrList, &out.CidrList *out = make([]*string, len(*in)) @@ -892,6 +992,16 @@ func (in *AuthBackendRoleSecretIDParameters) DeepCopyInto(out *AuthBackendRoleSe *out = new(string) **out = **in } + if in.RoleNameRef != nil { + in, out := &in.RoleNameRef, &out.RoleNameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleNameSelector != nil { + in, out := &in.RoleNameSelector, &out.RoleNameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.SecretIDSecretRef != nil { in, out := &in.SecretIDSecretRef, &out.SecretIDSecretRef *out = new(v1.SecretKeySelector) diff --git a/apis/approle/v1alpha1/zz_generated.managed.go b/apis/approle/v1alpha1/zz_generated.managed.go index c4f83732..3c443c39 100644 --- a/apis/approle/v1alpha1/zz_generated.managed.go +++ b/apis/approle/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackendLogin) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendLogin. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendLogin) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendLogin. func (mg *AuthBackendLogin) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackendLogin) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendLogin. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendLogin) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendLogin. func (mg *AuthBackendLogin) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *AuthBackendRoleSecretID) GetProviderConfigReference() *xpv1.Reference return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRoleSecretID. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRoleSecretID) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRoleSecretID. func (mg *AuthBackendRoleSecretID) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *AuthBackendRoleSecretID) SetProviderConfigReference(r *xpv1.Reference) mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRoleSecretID. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRoleSecretID) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRoleSecretID. func (mg *AuthBackendRoleSecretID) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/approle/v1alpha1/zz_generated.resolvers.go b/apis/approle/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..658be71d --- /dev/null +++ b/apis/approle/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,205 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/auth/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this AuthBackendLogin. +func (mg *AuthBackendLogin) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.RoleID), + Extract: resource.ExtractParamPath("role_id", false), + Reference: mg.Spec.ForProvider.RoleIDRef, + Selector: mg.Spec.ForProvider.RoleIDSelector, + To: reference.To{ + List: &AuthBackendRoleList{}, + Managed: &AuthBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.RoleID") + } + mg.Spec.ForProvider.RoleID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.RoleIDRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.RoleID), + Extract: resource.ExtractParamPath("role_id", false), + Reference: mg.Spec.InitProvider.RoleIDRef, + Selector: mg.Spec.InitProvider.RoleIDSelector, + To: reference.To{ + List: &AuthBackendRoleList{}, + Managed: &AuthBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.RoleID") + } + mg.Spec.InitProvider.RoleID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.RoleIDRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendRole. +func (mg *AuthBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendRoleSecretID. +func (mg *AuthBackendRoleSecretID) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.RoleName), + Extract: resource.ExtractParamPath("role_name", false), + Reference: mg.Spec.ForProvider.RoleNameRef, + Selector: mg.Spec.ForProvider.RoleNameSelector, + To: reference.To{ + List: &AuthBackendRoleList{}, + Managed: &AuthBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.RoleName") + } + mg.Spec.ForProvider.RoleName = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.RoleNameRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.RoleName), + Extract: resource.ExtractParamPath("role_name", false), + Reference: mg.Spec.InitProvider.RoleNameRef, + Selector: mg.Spec.InitProvider.RoleNameSelector, + To: reference.To{ + List: &AuthBackendRoleList{}, + Managed: &AuthBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.RoleName") + } + mg.Spec.InitProvider.RoleName = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.RoleNameRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/approle/v1alpha1/zz_generated_terraformed.go b/apis/approle/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index cd38d6ee..00000000 --- a/apis/approle/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,266 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendLogin -func (mg *AuthBackendLogin) GetTerraformResourceType() string { - return "vault_approle_auth_backend_login" -} - -// GetConnectionDetailsMapping for this AuthBackendLogin -func (tr *AuthBackendLogin) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"client_token": "status.atProvider.clientToken", "secret_id": "spec.forProvider.secretIdSecretRef"} -} - -// GetObservation of this AuthBackendLogin -func (tr *AuthBackendLogin) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendLogin -func (tr *AuthBackendLogin) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendLogin -func (tr *AuthBackendLogin) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendLogin -func (tr *AuthBackendLogin) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendLogin -func (tr *AuthBackendLogin) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendLogin -func (tr *AuthBackendLogin) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendLogin using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendLogin) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendLoginParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendLogin) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole -func (mg *AuthBackendRole) GetTerraformResourceType() string { - return "vault_approle_auth_backend_role" -} - -// GetConnectionDetailsMapping for this AuthBackendRole -func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendRole -func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendRole -func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendRole -func (tr *AuthBackendRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendRole -func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendRole -func (tr *AuthBackendRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendRole -func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendRoleSecretID -func (mg *AuthBackendRoleSecretID) GetTerraformResourceType() string { - return "vault_approle_auth_backend_role_secret_id" -} - -// GetConnectionDetailsMapping for this AuthBackendRoleSecretID -func (tr *AuthBackendRoleSecretID) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"secret_id": "spec.forProvider.secretIdSecretRef", "wrapping_token": "status.atProvider.wrappingToken"} -} - -// GetObservation of this AuthBackendRoleSecretID -func (tr *AuthBackendRoleSecretID) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendRoleSecretID -func (tr *AuthBackendRoleSecretID) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendRoleSecretID -func (tr *AuthBackendRoleSecretID) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendRoleSecretID -func (tr *AuthBackendRoleSecretID) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendRoleSecretID -func (tr *AuthBackendRoleSecretID) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendRoleSecretID -func (tr *AuthBackendRoleSecretID) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendRoleSecretID using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendRoleSecretID) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendRoleSecretIDParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendRoleSecretID) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/audit/v1alpha1/zz_generated.conversion_hubs.go b/apis/audit/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..e499d6b6 --- /dev/null +++ b/apis/audit/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *RequestHeader) Hub() {} diff --git a/apis/audit/v1alpha1/zz_generated.deepcopy.go b/apis/audit/v1alpha1/zz_generated.deepcopy.go index cfd34743..781cda81 100644 --- a/apis/audit/v1alpha1/zz_generated.deepcopy.go +++ b/apis/audit/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. diff --git a/apis/audit/v1alpha1/zz_generated.managed.go b/apis/audit/v1alpha1/zz_generated.managed.go index 8a9203bb..36b6e31a 100644 --- a/apis/audit/v1alpha1/zz_generated.managed.go +++ b/apis/audit/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *RequestHeader) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this RequestHeader. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *RequestHeader) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this RequestHeader. func (mg *RequestHeader) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *RequestHeader) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this RequestHeader. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *RequestHeader) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this RequestHeader. func (mg *RequestHeader) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/audit/v1alpha1/zz_generated_terraformed.go b/apis/audit/v1alpha1/zz_requestheader_terraformed.go similarity index 70% rename from apis/audit/v1alpha1/zz_generated_terraformed.go rename to apis/audit/v1alpha1/zz_requestheader_terraformed.go index c83cd2ab..bad52a6d 100755 --- a/apis/audit/v1alpha1/zz_generated_terraformed.go +++ b/apis/audit/v1alpha1/zz_requestheader_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this RequestHeader @@ -79,6 +80,36 @@ func (tr *RequestHeader) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this RequestHeader +func (tr *RequestHeader) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this RequestHeader using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *RequestHeader) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/audit/v1alpha1/zz_requestheader_types.go b/apis/audit/v1alpha1/zz_requestheader_types.go index 6edbb4cf..e8ade372 100755 --- a/apis/audit/v1alpha1/zz_requestheader_types.go +++ b/apis/audit/v1alpha1/zz_requestheader_types.go @@ -64,9 +64,8 @@ type RequestHeaderParameters struct { type RequestHeaderSpec struct { v1.ResourceSpec `json:",inline"` ForProvider RequestHeaderParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -85,18 +84,19 @@ type RequestHeaderStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // RequestHeader is the Schema for the RequestHeaders API. Manages audited request headers in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type RequestHeader struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec RequestHeaderSpec `json:"spec"` Status RequestHeaderStatus `json:"status,omitempty"` } diff --git a/apis/auth/v1alpha1/zz_generated_terraformed.go b/apis/auth/v1alpha1/zz_backend_terraformed.go similarity index 69% rename from apis/auth/v1alpha1/zz_generated_terraformed.go rename to apis/auth/v1alpha1/zz_backend_terraformed.go index 774e1d2d..5a63b425 100755 --- a/apis/auth/v1alpha1/zz_generated_terraformed.go +++ b/apis/auth/v1alpha1/zz_backend_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this Backend @@ -79,6 +80,36 @@ func (tr *Backend) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this Backend +func (tr *Backend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this Backend using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *Backend) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/auth/v1alpha1/zz_backend_types.go b/apis/auth/v1alpha1/zz_backend_types.go index 1e76eb88..980c3220 100755 --- a/apis/auth/v1alpha1/zz_backend_types.go +++ b/apis/auth/v1alpha1/zz_backend_types.go @@ -21,6 +21,9 @@ type BackendInitParameters struct { // If set, opts out of mount migration on path updates. DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -53,6 +56,9 @@ type BackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -82,6 +88,10 @@ type BackendParameters struct { // +kubebuilder:validation:Optional DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The key to use for signing identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // Specifies if the auth method is local only // +kubebuilder:validation:Optional Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -188,9 +198,8 @@ type TuneParameters struct { type BackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider BackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -209,18 +218,19 @@ type BackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Backend is the Schema for the Backends API. Managing roles in an Cert auth backend in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Backend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || (has(self.initProvider) && has(self.initProvider.type))",message="spec.forProvider.type is a required parameter" Spec BackendSpec `json:"spec"` Status BackendStatus `json:"status,omitempty"` } diff --git a/apis/auth/v1alpha1/zz_generated.conversion_hubs.go b/apis/auth/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..bbb935f2 --- /dev/null +++ b/apis/auth/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Backend) Hub() {} diff --git a/apis/auth/v1alpha1/zz_generated.deepcopy.go b/apis/auth/v1alpha1/zz_generated.deepcopy.go index 1eb5e9be..c1a39432 100644 --- a/apis/auth/v1alpha1/zz_generated.deepcopy.go +++ b/apis/auth/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -53,6 +52,11 @@ func (in *BackendInitParameters) DeepCopyInto(out *BackendInitParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -147,6 +151,11 @@ func (in *BackendObservation) DeepCopyInto(out *BackendObservation) { *out = new(string) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -199,6 +208,11 @@ func (in *BackendParameters) DeepCopyInto(out *BackendParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) diff --git a/apis/auth/v1alpha1/zz_generated.managed.go b/apis/auth/v1alpha1/zz_generated.managed.go index 305ee420..30838c22 100644 --- a/apis/auth/v1alpha1/zz_generated.managed.go +++ b/apis/auth/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Backend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Backend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Backend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Backend. func (mg *Backend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Backend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Backend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Backend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Backend. func (mg *Backend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/aws/v1alpha1/zz_authbackendcert_terraformed.go b/apis/aws/v1alpha1/zz_authbackendcert_terraformed.go new file mode 100755 index 00000000..7c48f77a --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendcert_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendCert +func (mg *AuthBackendCert) GetTerraformResourceType() string { + return "vault_aws_auth_backend_cert" +} + +// GetConnectionDetailsMapping for this AuthBackendCert +func (tr *AuthBackendCert) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendCert +func (tr *AuthBackendCert) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendCert +func (tr *AuthBackendCert) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendCert +func (tr *AuthBackendCert) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendCert +func (tr *AuthBackendCert) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendCert +func (tr *AuthBackendCert) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendCert +func (tr *AuthBackendCert) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendCert +func (tr *AuthBackendCert) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendCert using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendCert) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendCertParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendCert) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_authbackendcert_types.go b/apis/aws/v1alpha1/zz_authbackendcert_types.go index a8fcd6ef..0b53433e 100755 --- a/apis/aws/v1alpha1/zz_authbackendcert_types.go +++ b/apis/aws/v1alpha1/zz_authbackendcert_types.go @@ -25,8 +25,18 @@ type AuthBackendCertInitParameters struct { // The path the AWS auth backend being configured was // mounted at. Defaults to aws. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The name of the certificate. // Name of the certificate to configure. CertName *string `json:"certName,omitempty" tf:"cert_name,omitempty"` @@ -92,9 +102,19 @@ type AuthBackendCertParameters struct { // The path the AWS auth backend being configured was // mounted at. Defaults to aws. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The name of the certificate. // Name of the certificate to configure. // +kubebuilder:validation:Optional @@ -120,9 +140,8 @@ type AuthBackendCertParameters struct { type AuthBackendCertSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendCertParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -141,19 +160,20 @@ type AuthBackendCertStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendCert is the Schema for the AuthBackendCerts API. Manages a certificate for an AWS Auth Backend in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendCert struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.awsPublicCert) || has(self.initProvider.awsPublicCert)",message="awsPublicCert is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.certName) || has(self.initProvider.certName)",message="certName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.awsPublicCert) || (has(self.initProvider) && has(self.initProvider.awsPublicCert))",message="spec.forProvider.awsPublicCert is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.certName) || (has(self.initProvider) && has(self.initProvider.certName))",message="spec.forProvider.certName is a required parameter" Spec AuthBackendCertSpec `json:"spec"` Status AuthBackendCertStatus `json:"status,omitempty"` } diff --git a/apis/aws/v1alpha1/zz_authbackendclient_terraformed.go b/apis/aws/v1alpha1/zz_authbackendclient_terraformed.go new file mode 100755 index 00000000..8bff9a23 --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendclient_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendClient +func (mg *AuthBackendClient) GetTerraformResourceType() string { + return "vault_aws_auth_backend_client" +} + +// GetConnectionDetailsMapping for this AuthBackendClient +func (tr *AuthBackendClient) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"access_key": "accessKeySecretRef", "secret_key": "secretKeySecretRef"} +} + +// GetObservation of this AuthBackendClient +func (tr *AuthBackendClient) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendClient +func (tr *AuthBackendClient) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendClient +func (tr *AuthBackendClient) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendClient +func (tr *AuthBackendClient) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendClient +func (tr *AuthBackendClient) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendClient +func (tr *AuthBackendClient) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendClient +func (tr *AuthBackendClient) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendClient using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendClient) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendClientParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendClient) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_authbackendclient_types.go b/apis/aws/v1alpha1/zz_authbackendclient_types.go index b235fb73..fd54f193 100755 --- a/apis/aws/v1alpha1/zz_authbackendclient_types.go +++ b/apis/aws/v1alpha1/zz_authbackendclient_types.go @@ -15,11 +15,26 @@ import ( type AuthBackendClientInitParameters struct { + // The AWS access key that Vault should use for the + // auth backend. Mutually exclusive with identity_token_audience. + // AWS Access key with permissions to query AWS APIs. + AccessKeySecretRef *v1.SecretKeySelector `json:"accessKeySecretRef,omitempty" tf:"-"` + // The path the AWS auth backend being configured was // mounted at. Defaults to aws. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Override the URL Vault uses when making EC2 API // calls. // URL to override the default generated endpoint for making AWS EC2 API calls. @@ -36,6 +51,21 @@ type AuthBackendClientInitParameters struct { // The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method. IAMServerIDHeaderValue *string `json:"iamServerIdHeaderValue,omitempty" tf:"iam_server_id_header_value,omitempty"` + // The audience claim value. Mutually exclusive with access_key. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + + // Number of max retries the client should use for recoverable errors. + // The default -1 falls back to the AWS SDK's default behavior. + // Number of max retries the client should use for recoverable errors. + MaxRetries *float64 `json:"maxRetries,omitempty" tf:"max_retries,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -43,6 +73,16 @@ type AuthBackendClientInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + // Available only for Vault Enterprise + // Role ARN to assume for plugin identity token federation. + RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"` + + // The AWS secret key that Vault should use for the + // auth backend. + // AWS Secret key with permissions to query AWS APIs. + SecretKeySecretRef *v1.SecretKeySelector `json:"secretKeySecretRef,omitempty" tf:"-"` + // Override the URL Vault uses when making STS API // calls. // URL to override the default generated endpoint for making AWS STS API calls. @@ -87,6 +127,21 @@ type AuthBackendClientObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value. Mutually exclusive with access_key. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + + // Number of max retries the client should use for recoverable errors. + // The default -1 falls back to the AWS SDK's default behavior. + // Number of max retries the client should use for recoverable errors. + MaxRetries *float64 `json:"maxRetries,omitempty" tf:"max_retries,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -94,6 +149,11 @@ type AuthBackendClientObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + // Available only for Vault Enterprise + // Role ARN to assume for plugin identity token federation. + RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"` + // Override the URL Vault uses when making STS API // calls. // URL to override the default generated endpoint for making AWS STS API calls. @@ -116,7 +176,7 @@ type AuthBackendClientObservation struct { type AuthBackendClientParameters struct { // The AWS access key that Vault should use for the - // auth backend. + // auth backend. Mutually exclusive with identity_token_audience. // AWS Access key with permissions to query AWS APIs. // +kubebuilder:validation:Optional AccessKeySecretRef *v1.SecretKeySelector `json:"accessKeySecretRef,omitempty" tf:"-"` @@ -124,9 +184,19 @@ type AuthBackendClientParameters struct { // The path the AWS auth backend being configured was // mounted at. Defaults to aws. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Override the URL Vault uses when making EC2 API // calls. // URL to override the default generated endpoint for making AWS EC2 API calls. @@ -146,6 +216,24 @@ type AuthBackendClientParameters struct { // +kubebuilder:validation:Optional IAMServerIDHeaderValue *string `json:"iamServerIdHeaderValue,omitempty" tf:"iam_server_id_header_value,omitempty"` + // The audience claim value. Mutually exclusive with access_key. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The audience claim value. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + + // Number of max retries the client should use for recoverable errors. + // The default -1 falls back to the AWS SDK's default behavior. + // Number of max retries the client should use for recoverable errors. + // +kubebuilder:validation:Optional + MaxRetries *float64 `json:"maxRetries,omitempty" tf:"max_retries,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -154,6 +242,12 @@ type AuthBackendClientParameters struct { // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + // Available only for Vault Enterprise + // Role ARN to assume for plugin identity token federation. + // +kubebuilder:validation:Optional + RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"` + // The AWS secret key that Vault should use for the // auth backend. // AWS Secret key with permissions to query AWS APIs. @@ -186,9 +280,8 @@ type AuthBackendClientParameters struct { type AuthBackendClientSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendClientParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -207,13 +300,14 @@ type AuthBackendClientStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendClient is the Schema for the AuthBackendClients API. Configures the client used by an AWS Auth Backend in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendClient struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/aws/v1alpha1/zz_authbackendconfigidentity_terraformed.go b/apis/aws/v1alpha1/zz_authbackendconfigidentity_terraformed.go new file mode 100755 index 00000000..babf44cf --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendconfigidentity_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendConfigIdentity +func (mg *AuthBackendConfigIdentity) GetTerraformResourceType() string { + return "vault_aws_auth_backend_config_identity" +} + +// GetConnectionDetailsMapping for this AuthBackendConfigIdentity +func (tr *AuthBackendConfigIdentity) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendConfigIdentity +func (tr *AuthBackendConfigIdentity) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendConfigIdentity +func (tr *AuthBackendConfigIdentity) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendConfigIdentity +func (tr *AuthBackendConfigIdentity) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendConfigIdentity +func (tr *AuthBackendConfigIdentity) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendConfigIdentity +func (tr *AuthBackendConfigIdentity) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendConfigIdentity +func (tr *AuthBackendConfigIdentity) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendConfigIdentity +func (tr *AuthBackendConfigIdentity) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendConfigIdentity using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendConfigIdentity) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendConfigIdentityParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendConfigIdentity) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go b/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go index 3558538e..e71cbd33 100755 --- a/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go +++ b/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go @@ -16,8 +16,18 @@ import ( type AuthBackendConfigIdentityInitParameters struct { // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // How to generate the identity alias when using the ec2 auth method. Valid choices are // role_id, instance_id, and image_id. Defaults to role_id // Configures how to generate the identity alias when using the ec2 auth method. @@ -26,6 +36,7 @@ type AuthBackendConfigIdentityInitParameters struct { // The metadata to include on the token returned by the login endpoint. This metadata will be // added to both audit logs, and on the ec2_alias // The metadata to include on the token returned by the login endpoint. + // +listType=set EC2Metadata []*string `json:"ec2Metadata,omitempty" tf:"ec2_metadata,omitempty"` // How to generate the identity alias when using the iam auth method. Valid choices are @@ -36,6 +47,7 @@ type AuthBackendConfigIdentityInitParameters struct { // The metadata to include on the token returned by the login endpoint. This metadata will be // added to both audit logs, and on the iam_alias // The metadata to include on the token returned by the login endpoint. + // +listType=set IAMMetadata []*string `json:"iamMetadata,omitempty" tf:"iam_metadata,omitempty"` // The namespace to provision the resource in. @@ -59,6 +71,7 @@ type AuthBackendConfigIdentityObservation struct { // The metadata to include on the token returned by the login endpoint. This metadata will be // added to both audit logs, and on the ec2_alias // The metadata to include on the token returned by the login endpoint. + // +listType=set EC2Metadata []*string `json:"ec2Metadata,omitempty" tf:"ec2_metadata,omitempty"` // How to generate the identity alias when using the iam auth method. Valid choices are @@ -69,6 +82,7 @@ type AuthBackendConfigIdentityObservation struct { // The metadata to include on the token returned by the login endpoint. This metadata will be // added to both audit logs, and on the iam_alias // The metadata to include on the token returned by the login endpoint. + // +listType=set IAMMetadata []*string `json:"iamMetadata,omitempty" tf:"iam_metadata,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -84,9 +98,19 @@ type AuthBackendConfigIdentityObservation struct { type AuthBackendConfigIdentityParameters struct { // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // How to generate the identity alias when using the ec2 auth method. Valid choices are // role_id, instance_id, and image_id. Defaults to role_id // Configures how to generate the identity alias when using the ec2 auth method. @@ -97,6 +121,7 @@ type AuthBackendConfigIdentityParameters struct { // added to both audit logs, and on the ec2_alias // The metadata to include on the token returned by the login endpoint. // +kubebuilder:validation:Optional + // +listType=set EC2Metadata []*string `json:"ec2Metadata,omitempty" tf:"ec2_metadata,omitempty"` // How to generate the identity alias when using the iam auth method. Valid choices are @@ -109,6 +134,7 @@ type AuthBackendConfigIdentityParameters struct { // added to both audit logs, and on the iam_alias // The metadata to include on the token returned by the login endpoint. // +kubebuilder:validation:Optional + // +listType=set IAMMetadata []*string `json:"iamMetadata,omitempty" tf:"iam_metadata,omitempty"` // The namespace to provision the resource in. @@ -124,9 +150,8 @@ type AuthBackendConfigIdentityParameters struct { type AuthBackendConfigIdentitySpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendConfigIdentityParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -145,13 +170,14 @@ type AuthBackendConfigIdentityStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendConfigIdentity is the Schema for the AuthBackendConfigIdentitys API. Manages AWS auth backend identity configuration in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendConfigIdentity struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_terraformed.go b/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_terraformed.go new file mode 100755 index 00000000..4a4b9b11 --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendIdentityWhitelist +func (mg *AuthBackendIdentityWhitelist) GetTerraformResourceType() string { + return "vault_aws_auth_backend_identity_whitelist" +} + +// GetConnectionDetailsMapping for this AuthBackendIdentityWhitelist +func (tr *AuthBackendIdentityWhitelist) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendIdentityWhitelist +func (tr *AuthBackendIdentityWhitelist) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendIdentityWhitelist +func (tr *AuthBackendIdentityWhitelist) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendIdentityWhitelist +func (tr *AuthBackendIdentityWhitelist) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendIdentityWhitelist +func (tr *AuthBackendIdentityWhitelist) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendIdentityWhitelist +func (tr *AuthBackendIdentityWhitelist) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendIdentityWhitelist +func (tr *AuthBackendIdentityWhitelist) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendIdentityWhitelist +func (tr *AuthBackendIdentityWhitelist) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendIdentityWhitelist using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendIdentityWhitelist) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendIdentityWhitelistParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendIdentityWhitelist) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_types.go b/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_types.go index f212a160..ae771b96 100755 --- a/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_types.go +++ b/apis/aws/v1alpha1/zz_authbackendidentitywhitelist_types.go @@ -17,8 +17,18 @@ type AuthBackendIdentityWhitelistInitParameters struct { // The path of the AWS backend being configured. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set to true, disables the periodic // tidying of the identity-whitelist entries. // If true, disables the periodic tidying of the identiy whitelist entries. @@ -69,9 +79,19 @@ type AuthBackendIdentityWhitelistParameters struct { // The path of the AWS backend being configured. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set to true, disables the periodic // tidying of the identity-whitelist entries. // If true, disables the periodic tidying of the identiy whitelist entries. @@ -98,9 +118,8 @@ type AuthBackendIdentityWhitelistParameters struct { type AuthBackendIdentityWhitelistSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendIdentityWhitelistParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -119,13 +138,14 @@ type AuthBackendIdentityWhitelistStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendIdentityWhitelist is the Schema for the AuthBackendIdentityWhitelists API. Configures the periodic tidying operation of the whitelisted identity entries. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendIdentityWhitelist struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/aws/v1alpha1/zz_authbackendlogin_terraformed.go b/apis/aws/v1alpha1/zz_authbackendlogin_terraformed.go new file mode 100755 index 00000000..031231a4 --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendlogin_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendLogin +func (mg *AuthBackendLogin) GetTerraformResourceType() string { + return "vault_aws_auth_backend_login" +} + +// GetConnectionDetailsMapping for this AuthBackendLogin +func (tr *AuthBackendLogin) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"client_token": "status.atProvider.clientToken"} +} + +// GetObservation of this AuthBackendLogin +func (tr *AuthBackendLogin) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendLogin +func (tr *AuthBackendLogin) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendLogin +func (tr *AuthBackendLogin) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendLogin +func (tr *AuthBackendLogin) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendLogin +func (tr *AuthBackendLogin) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendLogin +func (tr *AuthBackendLogin) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendLogin +func (tr *AuthBackendLogin) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendLogin using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendLogin) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendLoginParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendLogin) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_authbackendlogin_types.go b/apis/aws/v1alpha1/zz_authbackendlogin_types.go index 66661041..bfb5feff 100755 --- a/apis/aws/v1alpha1/zz_authbackendlogin_types.go +++ b/apis/aws/v1alpha1/zz_authbackendlogin_types.go @@ -18,8 +18,18 @@ type AuthBackendLoginInitParameters struct { // The unique name of the AWS auth backend. Defaults to // 'aws'. // AWS Auth Backend to read the token from. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The HTTP method used in the signed IAM // request. // The HTTP method used in the signed request. @@ -68,8 +78,18 @@ type AuthBackendLoginInitParameters struct { // The name of the AWS auth backend role to create tokens // against. // AWS Auth Role to read the token from. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/aws/v1alpha1.AuthBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("role",false) Role *string `json:"role,omitempty" tf:"role,omitempty"` + // Reference to a AuthBackendRole in aws to populate role. + // +kubebuilder:validation:Optional + RoleRef *v1.Reference `json:"roleRef,omitempty" tf:"-"` + + // Selector for a AuthBackendRole in aws to populate role. + // +kubebuilder:validation:Optional + RoleSelector *v1.Selector `json:"roleSelector,omitempty" tf:"-"` + // The base64-encoded SHA256 RSA signature of the // instance identity document to authenticate with, with all newline characters // removed. Can be retrieved from the EC2 metadata server. @@ -125,13 +145,14 @@ type AuthBackendLoginObservation struct { LeaseDuration *float64 `json:"leaseDuration,omitempty" tf:"lease_duration,omitempty"` // the approximate time at which the token was created, - // using the clock of the system where Upbound official provider was running. - // time at which the lease was read, using the clock of the system where Upbound official provider was running + // using the clock of the system where provider was running. + // time at which the lease was read, using the clock of the system where provider was running LeaseStartTime *string `json:"leaseStartTime,omitempty" tf:"lease_start_time,omitempty"` // A map of information returned by the Vault server about the // authentication used to generate this token. // The metadata reported by the Vault server. + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // The namespace to provision the resource in. @@ -179,9 +200,19 @@ type AuthBackendLoginParameters struct { // The unique name of the AWS auth backend. Defaults to // 'aws'. // AWS Auth Backend to read the token from. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The HTTP method used in the signed IAM // request. // The HTTP method used in the signed request. @@ -238,9 +269,19 @@ type AuthBackendLoginParameters struct { // The name of the AWS auth backend role to create tokens // against. // AWS Auth Role to read the token from. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/aws/v1alpha1.AuthBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("role",false) // +kubebuilder:validation:Optional Role *string `json:"role,omitempty" tf:"role,omitempty"` + // Reference to a AuthBackendRole in aws to populate role. + // +kubebuilder:validation:Optional + RoleRef *v1.Reference `json:"roleRef,omitempty" tf:"-"` + + // Selector for a AuthBackendRole in aws to populate role. + // +kubebuilder:validation:Optional + RoleSelector *v1.Selector `json:"roleSelector,omitempty" tf:"-"` + // The base64-encoded SHA256 RSA signature of the // instance identity document to authenticate with, with all newline characters // removed. Can be retrieved from the EC2 metadata server. @@ -253,9 +294,8 @@ type AuthBackendLoginParameters struct { type AuthBackendLoginSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendLoginParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -274,13 +314,14 @@ type AuthBackendLoginStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendLogin is the Schema for the AuthBackendLogins API. Manages Vault tokens acquired using the AWS auth backend. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendLogin struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/aws/v1alpha1/zz_authbackendrole_terraformed.go b/apis/aws/v1alpha1/zz_authbackendrole_terraformed.go new file mode 100755 index 00000000..4c6ed6c7 --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole +func (mg *AuthBackendRole) GetTerraformResourceType() string { + return "vault_aws_auth_backend_role" +} + +// GetConnectionDetailsMapping for this AuthBackendRole +func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendRole +func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendRole +func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendRole +func (tr *AuthBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendRole +func (tr *AuthBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_authbackendrole_types.go b/apis/aws/v1alpha1/zz_authbackendrole_types.go index 6d51fbf5..465a66c7 100755 --- a/apis/aws/v1alpha1/zz_authbackendrole_types.go +++ b/apis/aws/v1alpha1/zz_authbackendrole_types.go @@ -27,13 +27,24 @@ type AuthBackendRoleInitParameters struct { // Path to the mounted aws auth backend. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set, defines a constraint on the EC2 instances // that can perform the login operation that they should be using the AMI ID // specified by this field. auth_type must be set to ec2 or // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances using this AMI ID will be permitted to log in. + // +listType=set BoundAMIIds []*string `json:"boundAmiIds,omitempty" tf:"bound_ami_ids,omitempty"` // If set, defines a constraint on the EC2 @@ -41,9 +52,11 @@ type AuthBackendRoleInitParameters struct { // account ID specified by this field. auth_type must be set to ec2 or // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances with this account ID in their identity document will be permitted to log in. + // +listType=set BoundAccountIds []*string `json:"boundAccountIds,omitempty" tf:"bound_account_ids,omitempty"` // Only EC2 instances that match this instance ID will be permitted to log in. + // +listType=set BoundEC2InstanceIds []*string `json:"boundEc2InstanceIds,omitempty" tf:"bound_ec2_instance_ids,omitempty"` // If set, defines a constraint on @@ -53,12 +66,14 @@ type AuthBackendRoleInitParameters struct { // were a glob ending in *. auth_type must be set to ec2 or // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + // +listType=set BoundIAMInstanceProfileArns []*string `json:"boundIamInstanceProfileArns,omitempty" tf:"bound_iam_instance_profile_arns,omitempty"` // If set, defines the IAM principal that // must be authenticated when auth_type is set to iam. Wildcards are // supported at the end of the ARN. // The IAM principal that must be authenticated using the iam auth method. + // +listType=set BoundIAMPrincipalArns []*string `json:"boundIamPrincipalArns,omitempty" tf:"bound_iam_principal_arns,omitempty"` // If set, defines a constraint on the EC2 @@ -66,6 +81,7 @@ type AuthBackendRoleInitParameters struct { // role ARN specified by this field. auth_type must be set to ec2 or // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances that match this IAM role ARN will be permitted to log in. + // +listType=set BoundIAMRoleArns []*string `json:"boundIamRoleArns,omitempty" tf:"bound_iam_role_arns,omitempty"` // If set, defines a constraint on the EC2 instances @@ -74,6 +90,7 @@ type AuthBackendRoleInitParameters struct { // to ec2 or inferred_entity_type must be set to ec2_instance to use this // constraint. // Only EC2 instances in this region will be permitted to log in. + // +listType=set BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"` // If set, defines a constraint on the EC2 @@ -82,6 +99,7 @@ type AuthBackendRoleInitParameters struct { // must be set to ec2 or inferred_entity_type must be set to ec2_instance // to use this constraint. // Only EC2 instances associated with this subnet ID will be permitted to log in. + // +listType=set BoundSubnetIds []*string `json:"boundSubnetIds,omitempty" tf:"bound_subnet_ids,omitempty"` // If set, defines a constraint on the EC2 instances @@ -90,6 +108,7 @@ type AuthBackendRoleInitParameters struct { // ec2 or inferred_entity_type must be set to ec2_instance to use this // constraint. // Only EC2 instances associated with this VPC ID will be permitted to log in. + // +listType=set BoundVPCIds []*string `json:"boundVpcIds,omitempty" tf:"bound_vpc_ids,omitempty"` // IF set to true, only allows a @@ -148,6 +167,7 @@ type AuthBackendRoleInitParameters struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -182,6 +202,7 @@ type AuthBackendRoleInitParameters struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -219,6 +240,7 @@ type AuthBackendRoleObservation struct { // specified by this field. auth_type must be set to ec2 or // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances using this AMI ID will be permitted to log in. + // +listType=set BoundAMIIds []*string `json:"boundAmiIds,omitempty" tf:"bound_ami_ids,omitempty"` // If set, defines a constraint on the EC2 @@ -226,9 +248,11 @@ type AuthBackendRoleObservation struct { // account ID specified by this field. auth_type must be set to ec2 or // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances with this account ID in their identity document will be permitted to log in. + // +listType=set BoundAccountIds []*string `json:"boundAccountIds,omitempty" tf:"bound_account_ids,omitempty"` // Only EC2 instances that match this instance ID will be permitted to log in. + // +listType=set BoundEC2InstanceIds []*string `json:"boundEc2InstanceIds,omitempty" tf:"bound_ec2_instance_ids,omitempty"` // If set, defines a constraint on @@ -238,12 +262,14 @@ type AuthBackendRoleObservation struct { // were a glob ending in *. auth_type must be set to ec2 or // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + // +listType=set BoundIAMInstanceProfileArns []*string `json:"boundIamInstanceProfileArns,omitempty" tf:"bound_iam_instance_profile_arns,omitempty"` // If set, defines the IAM principal that // must be authenticated when auth_type is set to iam. Wildcards are // supported at the end of the ARN. // The IAM principal that must be authenticated using the iam auth method. + // +listType=set BoundIAMPrincipalArns []*string `json:"boundIamPrincipalArns,omitempty" tf:"bound_iam_principal_arns,omitempty"` // If set, defines a constraint on the EC2 @@ -251,6 +277,7 @@ type AuthBackendRoleObservation struct { // role ARN specified by this field. auth_type must be set to ec2 or // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances that match this IAM role ARN will be permitted to log in. + // +listType=set BoundIAMRoleArns []*string `json:"boundIamRoleArns,omitempty" tf:"bound_iam_role_arns,omitempty"` // If set, defines a constraint on the EC2 instances @@ -259,6 +286,7 @@ type AuthBackendRoleObservation struct { // to ec2 or inferred_entity_type must be set to ec2_instance to use this // constraint. // Only EC2 instances in this region will be permitted to log in. + // +listType=set BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"` // If set, defines a constraint on the EC2 @@ -267,6 +295,7 @@ type AuthBackendRoleObservation struct { // must be set to ec2 or inferred_entity_type must be set to ec2_instance // to use this constraint. // Only EC2 instances associated with this subnet ID will be permitted to log in. + // +listType=set BoundSubnetIds []*string `json:"boundSubnetIds,omitempty" tf:"bound_subnet_ids,omitempty"` // If set, defines a constraint on the EC2 instances @@ -275,6 +304,7 @@ type AuthBackendRoleObservation struct { // ec2 or inferred_entity_type must be set to ec2_instance to use this // constraint. // Only EC2 instances associated with this VPC ID will be permitted to log in. + // +listType=set BoundVPCIds []*string `json:"boundVpcIds,omitempty" tf:"bound_vpc_ids,omitempty"` // IF set to true, only allows a @@ -339,6 +369,7 @@ type AuthBackendRoleObservation struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -373,6 +404,7 @@ type AuthBackendRoleObservation struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -405,15 +437,26 @@ type AuthBackendRoleParameters struct { // Path to the mounted aws auth backend. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set, defines a constraint on the EC2 instances // that can perform the login operation that they should be using the AMI ID // specified by this field. auth_type must be set to ec2 or // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances using this AMI ID will be permitted to log in. // +kubebuilder:validation:Optional + // +listType=set BoundAMIIds []*string `json:"boundAmiIds,omitempty" tf:"bound_ami_ids,omitempty"` // If set, defines a constraint on the EC2 @@ -422,10 +465,12 @@ type AuthBackendRoleParameters struct { // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances with this account ID in their identity document will be permitted to log in. // +kubebuilder:validation:Optional + // +listType=set BoundAccountIds []*string `json:"boundAccountIds,omitempty" tf:"bound_account_ids,omitempty"` // Only EC2 instances that match this instance ID will be permitted to log in. // +kubebuilder:validation:Optional + // +listType=set BoundEC2InstanceIds []*string `json:"boundEc2InstanceIds,omitempty" tf:"bound_ec2_instance_ids,omitempty"` // If set, defines a constraint on @@ -436,6 +481,7 @@ type AuthBackendRoleParameters struct { // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. // +kubebuilder:validation:Optional + // +listType=set BoundIAMInstanceProfileArns []*string `json:"boundIamInstanceProfileArns,omitempty" tf:"bound_iam_instance_profile_arns,omitempty"` // If set, defines the IAM principal that @@ -443,6 +489,7 @@ type AuthBackendRoleParameters struct { // supported at the end of the ARN. // The IAM principal that must be authenticated using the iam auth method. // +kubebuilder:validation:Optional + // +listType=set BoundIAMPrincipalArns []*string `json:"boundIamPrincipalArns,omitempty" tf:"bound_iam_principal_arns,omitempty"` // If set, defines a constraint on the EC2 @@ -451,6 +498,7 @@ type AuthBackendRoleParameters struct { // inferred_entity_type must be set to ec2_instance to use this constraint. // Only EC2 instances that match this IAM role ARN will be permitted to log in. // +kubebuilder:validation:Optional + // +listType=set BoundIAMRoleArns []*string `json:"boundIamRoleArns,omitempty" tf:"bound_iam_role_arns,omitempty"` // If set, defines a constraint on the EC2 instances @@ -460,6 +508,7 @@ type AuthBackendRoleParameters struct { // constraint. // Only EC2 instances in this region will be permitted to log in. // +kubebuilder:validation:Optional + // +listType=set BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"` // If set, defines a constraint on the EC2 @@ -469,6 +518,7 @@ type AuthBackendRoleParameters struct { // to use this constraint. // Only EC2 instances associated with this subnet ID will be permitted to log in. // +kubebuilder:validation:Optional + // +listType=set BoundSubnetIds []*string `json:"boundSubnetIds,omitempty" tf:"bound_subnet_ids,omitempty"` // If set, defines a constraint on the EC2 instances @@ -478,6 +528,7 @@ type AuthBackendRoleParameters struct { // constraint. // Only EC2 instances associated with this VPC ID will be permitted to log in. // +kubebuilder:validation:Optional + // +listType=set BoundVPCIds []*string `json:"boundVpcIds,omitempty" tf:"bound_vpc_ids,omitempty"` // IF set to true, only allows a @@ -544,6 +595,7 @@ type AuthBackendRoleParameters struct { // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -584,6 +636,7 @@ type AuthBackendRoleParameters struct { // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -606,9 +659,8 @@ type AuthBackendRoleParameters struct { type AuthBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -627,18 +679,19 @@ type AuthBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRole is the Schema for the AuthBackendRoles API. Manages AWS auth backend roles in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || (has(self.initProvider) && has(self.initProvider.role))",message="spec.forProvider.role is a required parameter" Spec AuthBackendRoleSpec `json:"spec"` Status AuthBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/aws/v1alpha1/zz_authbackendroletag_terraformed.go b/apis/aws/v1alpha1/zz_authbackendroletag_terraformed.go new file mode 100755 index 00000000..d1455841 --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendroletag_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendRoleTag +func (mg *AuthBackendRoleTag) GetTerraformResourceType() string { + return "vault_aws_auth_backend_role_tag" +} + +// GetConnectionDetailsMapping for this AuthBackendRoleTag +func (tr *AuthBackendRoleTag) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendRoleTag +func (tr *AuthBackendRoleTag) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendRoleTag +func (tr *AuthBackendRoleTag) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendRoleTag +func (tr *AuthBackendRoleTag) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendRoleTag +func (tr *AuthBackendRoleTag) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendRoleTag +func (tr *AuthBackendRoleTag) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendRoleTag +func (tr *AuthBackendRoleTag) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendRoleTag +func (tr *AuthBackendRoleTag) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendRoleTag using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendRoleTag) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendRoleTagParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendRoleTag) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_authbackendroletag_types.go b/apis/aws/v1alpha1/zz_authbackendroletag_types.go index 86b7e2ec..03985769 100755 --- a/apis/aws/v1alpha1/zz_authbackendroletag_types.go +++ b/apis/aws/v1alpha1/zz_authbackendroletag_types.go @@ -22,8 +22,18 @@ type AuthBackendRoleTagInitParameters struct { // The path to the AWS auth backend to // read role tags from, with no leading or trailing /s. Defaults to "aws". // AWS auth backend to read tags from. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set, only allows a single token to be granted per instance ID. // Only allow a single token to be granted per instance ID. DisallowReauthentication *bool `json:"disallowReauthentication,omitempty" tf:"disallow_reauthentication,omitempty"` @@ -45,12 +55,23 @@ type AuthBackendRoleTagInitParameters struct { // The policies to be associated with the tag. Must be a subset of the policies associated with the role. // Policies to be associated with the tag. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // The name of the AWS auth backend role to read // role tags from, with no leading or trailing /s. // Name of the role. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/aws/v1alpha1.AuthBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("role",false) Role *string `json:"role,omitempty" tf:"role,omitempty"` + + // Reference to a AuthBackendRole in aws to populate role. + // +kubebuilder:validation:Optional + RoleRef *v1.Reference `json:"roleRef,omitempty" tf:"-"` + + // Selector for a AuthBackendRole in aws to populate role. + // +kubebuilder:validation:Optional + RoleSelector *v1.Selector `json:"roleSelector,omitempty" tf:"-"` } type AuthBackendRoleTagObservation struct { @@ -87,6 +108,7 @@ type AuthBackendRoleTagObservation struct { // The policies to be associated with the tag. Must be a subset of the policies associated with the role. // Policies to be associated with the tag. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // The name of the AWS auth backend role to read @@ -111,9 +133,19 @@ type AuthBackendRoleTagParameters struct { // The path to the AWS auth backend to // read role tags from, with no leading or trailing /s. Defaults to "aws". // AWS auth backend to read tags from. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set, only allows a single token to be granted per instance ID. // Only allow a single token to be granted per instance ID. // +kubebuilder:validation:Optional @@ -140,22 +172,32 @@ type AuthBackendRoleTagParameters struct { // The policies to be associated with the tag. Must be a subset of the policies associated with the role. // Policies to be associated with the tag. // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // The name of the AWS auth backend role to read // role tags from, with no leading or trailing /s. // Name of the role. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/aws/v1alpha1.AuthBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("role",false) // +kubebuilder:validation:Optional Role *string `json:"role,omitempty" tf:"role,omitempty"` + + // Reference to a AuthBackendRole in aws to populate role. + // +kubebuilder:validation:Optional + RoleRef *v1.Reference `json:"roleRef,omitempty" tf:"-"` + + // Selector for a AuthBackendRole in aws to populate role. + // +kubebuilder:validation:Optional + RoleSelector *v1.Selector `json:"roleSelector,omitempty" tf:"-"` } // AuthBackendRoleTagSpec defines the desired state of AuthBackendRoleTag type AuthBackendRoleTagSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleTagParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -174,20 +216,20 @@ type AuthBackendRoleTagStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRoleTag is the Schema for the AuthBackendRoleTags API. Reads role tags from a Vault AWS auth backend. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRoleTag struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter" - Spec AuthBackendRoleTagSpec `json:"spec"` - Status AuthBackendRoleTagStatus `json:"status,omitempty"` + Spec AuthBackendRoleTagSpec `json:"spec"` + Status AuthBackendRoleTagStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/aws/v1alpha1/zz_authbackendroletagblacklist_terraformed.go b/apis/aws/v1alpha1/zz_authbackendroletagblacklist_terraformed.go new file mode 100755 index 00000000..a29af614 --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendroletagblacklist_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendRoletagBlacklist +func (mg *AuthBackendRoletagBlacklist) GetTerraformResourceType() string { + return "vault_aws_auth_backend_roletag_blacklist" +} + +// GetConnectionDetailsMapping for this AuthBackendRoletagBlacklist +func (tr *AuthBackendRoletagBlacklist) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendRoletagBlacklist +func (tr *AuthBackendRoletagBlacklist) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendRoletagBlacklist +func (tr *AuthBackendRoletagBlacklist) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendRoletagBlacklist +func (tr *AuthBackendRoletagBlacklist) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendRoletagBlacklist +func (tr *AuthBackendRoletagBlacklist) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendRoletagBlacklist +func (tr *AuthBackendRoletagBlacklist) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendRoletagBlacklist +func (tr *AuthBackendRoletagBlacklist) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendRoletagBlacklist +func (tr *AuthBackendRoletagBlacklist) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendRoletagBlacklist using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendRoletagBlacklist) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendRoletagBlacklistParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendRoletagBlacklist) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_authbackendroletagblacklist_types.go b/apis/aws/v1alpha1/zz_authbackendroletagblacklist_types.go index 3ea617bb..c36205f1 100755 --- a/apis/aws/v1alpha1/zz_authbackendroletagblacklist_types.go +++ b/apis/aws/v1alpha1/zz_authbackendroletagblacklist_types.go @@ -18,8 +18,18 @@ type AuthBackendRoletagBlacklistInitParameters struct { // The path the AWS auth backend being configured was // mounted at. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set to true, disables the periodic // tidying of the roletag blacklist entries. Defaults to false. // If true, disables the periodic tidying of the roletag blacklist entries. @@ -72,9 +82,19 @@ type AuthBackendRoletagBlacklistParameters struct { // The path the AWS auth backend being configured was // mounted at. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set to true, disables the periodic // tidying of the roletag blacklist entries. Defaults to false. // If true, disables the periodic tidying of the roletag blacklist entries. @@ -101,9 +121,8 @@ type AuthBackendRoletagBlacklistParameters struct { type AuthBackendRoletagBlacklistSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoletagBlacklistParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -122,20 +141,20 @@ type AuthBackendRoletagBlacklistStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRoletagBlacklist is the Schema for the AuthBackendRoletagBlacklists API. Configures the periodic tidying operation of the blacklisted role tag entries. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRoletagBlacklist struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - Spec AuthBackendRoletagBlacklistSpec `json:"spec"` - Status AuthBackendRoletagBlacklistStatus `json:"status,omitempty"` + Spec AuthBackendRoletagBlacklistSpec `json:"spec"` + Status AuthBackendRoletagBlacklistStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/aws/v1alpha1/zz_authbackendstsrole_terraformed.go b/apis/aws/v1alpha1/zz_authbackendstsrole_terraformed.go new file mode 100755 index 00000000..bf15d187 --- /dev/null +++ b/apis/aws/v1alpha1/zz_authbackendstsrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendStsRole +func (mg *AuthBackendStsRole) GetTerraformResourceType() string { + return "vault_aws_auth_backend_sts_role" +} + +// GetConnectionDetailsMapping for this AuthBackendStsRole +func (tr *AuthBackendStsRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendStsRole +func (tr *AuthBackendStsRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendStsRole +func (tr *AuthBackendStsRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendStsRole +func (tr *AuthBackendStsRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendStsRole +func (tr *AuthBackendStsRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendStsRole +func (tr *AuthBackendStsRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendStsRole +func (tr *AuthBackendStsRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendStsRole +func (tr *AuthBackendStsRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendStsRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendStsRole) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendStsRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendStsRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_authbackendstsrole_types.go b/apis/aws/v1alpha1/zz_authbackendstsrole_types.go index e71e3e27..7c1c7a1e 100755 --- a/apis/aws/v1alpha1/zz_authbackendstsrole_types.go +++ b/apis/aws/v1alpha1/zz_authbackendstsrole_types.go @@ -22,8 +22,18 @@ type AuthBackendStsRoleInitParameters struct { // The path the AWS auth backend being configured was // mounted at. Defaults to aws. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -73,9 +83,19 @@ type AuthBackendStsRoleParameters struct { // The path the AWS auth backend being configured was // mounted at. Defaults to aws. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -95,9 +115,8 @@ type AuthBackendStsRoleParameters struct { type AuthBackendStsRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendStsRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -116,19 +135,20 @@ type AuthBackendStsRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendStsRole is the Schema for the AuthBackendStsRoles API. Configures an STS role in the Vault AWS Auth backend. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendStsRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.accountId) || has(self.initProvider.accountId)",message="accountId is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.stsRole) || has(self.initProvider.stsRole)",message="stsRole is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.accountId) || (has(self.initProvider) && has(self.initProvider.accountId))",message="spec.forProvider.accountId is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.stsRole) || (has(self.initProvider) && has(self.initProvider.stsRole))",message="spec.forProvider.stsRole is a required parameter" Spec AuthBackendStsRoleSpec `json:"spec"` Status AuthBackendStsRoleStatus `json:"status,omitempty"` } diff --git a/apis/aws/v1alpha1/zz_generated.conversion_hubs.go b/apis/aws/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..3f00d9d9 --- /dev/null +++ b/apis/aws/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,40 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendCert) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendClient) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendConfigIdentity) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendIdentityWhitelist) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendLogin) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRoleTag) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRoletagBlacklist) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendStsRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendRole) Hub() {} diff --git a/apis/aws/v1alpha1/zz_generated.deepcopy.go b/apis/aws/v1alpha1/zz_generated.deepcopy.go index ff2f2558..64b41022 100644 --- a/apis/aws/v1alpha1/zz_generated.deepcopy.go +++ b/apis/aws/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -54,6 +53,16 @@ func (in *AuthBackendCertInitParameters) DeepCopyInto(out *AuthBackendCertInitPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CertName != nil { in, out := &in.CertName, &out.CertName *out = new(string) @@ -171,6 +180,16 @@ func (in *AuthBackendCertParameters) DeepCopyInto(out *AuthBackendCertParameters *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CertName != nil { in, out := &in.CertName, &out.CertName *out = new(string) @@ -263,11 +282,26 @@ func (in *AuthBackendClient) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthBackendClientInitParameters) DeepCopyInto(out *AuthBackendClientInitParameters) { *out = *in + if in.AccessKeySecretRef != nil { + in, out := &in.AccessKeySecretRef, &out.AccessKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Backend != nil { in, out := &in.Backend, &out.Backend *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.EC2Endpoint != nil { in, out := &in.EC2Endpoint, &out.EC2Endpoint *out = new(string) @@ -283,11 +317,36 @@ func (in *AuthBackendClientInitParameters) DeepCopyInto(out *AuthBackendClientIn *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } + if in.MaxRetries != nil { + in, out := &in.MaxRetries, &out.MaxRetries + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) **out = **in } + if in.RoleArn != nil { + in, out := &in.RoleArn, &out.RoleArn + *out = new(string) + **out = **in + } + if in.SecretKeySecretRef != nil { + in, out := &in.SecretKeySecretRef, &out.SecretKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.StsEndpoint != nil { in, out := &in.StsEndpoint, &out.StsEndpoint *out = new(string) @@ -375,11 +434,31 @@ func (in *AuthBackendClientObservation) DeepCopyInto(out *AuthBackendClientObser *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } + if in.MaxRetries != nil { + in, out := &in.MaxRetries, &out.MaxRetries + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) **out = **in } + if in.RoleArn != nil { + in, out := &in.RoleArn, &out.RoleArn + *out = new(string) + **out = **in + } if in.StsEndpoint != nil { in, out := &in.StsEndpoint, &out.StsEndpoint *out = new(string) @@ -420,6 +499,16 @@ func (in *AuthBackendClientParameters) DeepCopyInto(out *AuthBackendClientParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.EC2Endpoint != nil { in, out := &in.EC2Endpoint, &out.EC2Endpoint *out = new(string) @@ -435,11 +524,31 @@ func (in *AuthBackendClientParameters) DeepCopyInto(out *AuthBackendClientParame *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } + if in.MaxRetries != nil { + in, out := &in.MaxRetries, &out.MaxRetries + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) **out = **in } + if in.RoleArn != nil { + in, out := &in.RoleArn, &out.RoleArn + *out = new(string) + **out = **in + } if in.SecretKeySecretRef != nil { in, out := &in.SecretKeySecretRef, &out.SecretKeySecretRef *out = new(v1.SecretKeySelector) @@ -542,6 +651,16 @@ func (in *AuthBackendConfigIdentityInitParameters) DeepCopyInto(out *AuthBackend *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.EC2Alias != nil { in, out := &in.EC2Alias, &out.EC2Alias *out = new(string) @@ -693,6 +812,16 @@ func (in *AuthBackendConfigIdentityParameters) DeepCopyInto(out *AuthBackendConf *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.EC2Alias != nil { in, out := &in.EC2Alias, &out.EC2Alias *out = new(string) @@ -812,6 +941,16 @@ func (in *AuthBackendIdentityWhitelistInitParameters) DeepCopyInto(out *AuthBack *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DisablePeriodicTidy != nil { in, out := &in.DisablePeriodicTidy, &out.DisablePeriodicTidy *out = new(bool) @@ -919,6 +1058,16 @@ func (in *AuthBackendIdentityWhitelistParameters) DeepCopyInto(out *AuthBackendI *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DisablePeriodicTidy != nil { in, out := &in.DisablePeriodicTidy, &out.DisablePeriodicTidy *out = new(bool) @@ -1016,6 +1165,16 @@ func (in *AuthBackendLoginInitParameters) DeepCopyInto(out *AuthBackendLoginInit *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.IAMHTTPRequestMethod != nil { in, out := &in.IAMHTTPRequestMethod, &out.IAMHTTPRequestMethod *out = new(string) @@ -1061,6 +1220,16 @@ func (in *AuthBackendLoginInitParameters) DeepCopyInto(out *AuthBackendLoginInit *out = new(string) **out = **in } + if in.RoleRef != nil { + in, out := &in.RoleRef, &out.RoleRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleSelector != nil { + in, out := &in.RoleSelector, &out.RoleSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Signature != nil { in, out := &in.Signature, &out.Signature *out = new(string) @@ -1176,7 +1345,8 @@ func (in *AuthBackendLoginObservation) DeepCopyInto(out *AuthBackendLoginObserva if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1244,6 +1414,16 @@ func (in *AuthBackendLoginParameters) DeepCopyInto(out *AuthBackendLoginParamete *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.IAMHTTPRequestMethod != nil { in, out := &in.IAMHTTPRequestMethod, &out.IAMHTTPRequestMethod *out = new(string) @@ -1289,6 +1469,16 @@ func (in *AuthBackendLoginParameters) DeepCopyInto(out *AuthBackendLoginParamete *out = new(string) **out = **in } + if in.RoleRef != nil { + in, out := &in.RoleRef, &out.RoleRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleSelector != nil { + in, out := &in.RoleSelector, &out.RoleSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Signature != nil { in, out := &in.Signature, &out.Signature *out = new(string) @@ -1386,6 +1576,16 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BoundAMIIds != nil { in, out := &in.BoundAMIIds, &out.BoundAMIIds *out = make([]*string, len(*in)) @@ -1870,6 +2070,16 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BoundAMIIds != nil { in, out := &in.BoundAMIIds, &out.BoundAMIIds *out = make([]*string, len(*in)) @@ -2148,6 +2358,16 @@ func (in *AuthBackendRoleTagInitParameters) DeepCopyInto(out *AuthBackendRoleTag *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DisallowReauthentication != nil { in, out := &in.DisallowReauthentication, &out.DisallowReauthentication *out = new(bool) @@ -2184,6 +2404,16 @@ func (in *AuthBackendRoleTagInitParameters) DeepCopyInto(out *AuthBackendRoleTag *out = new(string) **out = **in } + if in.RoleRef != nil { + in, out := &in.RoleRef, &out.RoleRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleSelector != nil { + in, out := &in.RoleSelector, &out.RoleSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleTagInitParameters. @@ -2317,6 +2547,16 @@ func (in *AuthBackendRoleTagParameters) DeepCopyInto(out *AuthBackendRoleTagPara *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DisallowReauthentication != nil { in, out := &in.DisallowReauthentication, &out.DisallowReauthentication *out = new(bool) @@ -2353,6 +2593,16 @@ func (in *AuthBackendRoleTagParameters) DeepCopyInto(out *AuthBackendRoleTagPara *out = new(string) **out = **in } + if in.RoleRef != nil { + in, out := &in.RoleRef, &out.RoleRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleSelector != nil { + in, out := &in.RoleSelector, &out.RoleSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleTagParameters. @@ -2435,6 +2685,16 @@ func (in *AuthBackendRoletagBlacklistInitParameters) DeepCopyInto(out *AuthBacke *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DisablePeriodicTidy != nil { in, out := &in.DisablePeriodicTidy, &out.DisablePeriodicTidy *out = new(bool) @@ -2542,6 +2802,16 @@ func (in *AuthBackendRoletagBlacklistParameters) DeepCopyInto(out *AuthBackendRo *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DisablePeriodicTidy != nil { in, out := &in.DisablePeriodicTidy, &out.DisablePeriodicTidy *out = new(bool) @@ -2644,6 +2914,16 @@ func (in *AuthBackendStsRoleInitParameters) DeepCopyInto(out *AuthBackendStsRole *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -2751,6 +3031,16 @@ func (in *AuthBackendStsRoleParameters) DeepCopyInto(out *AuthBackendStsRolePara *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -2838,6 +3128,11 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) { *out = *in + if in.AccessKeySecretRef != nil { + in, out := &in.AccessKeySecretRef, &out.AccessKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.DefaultLeaseTTLSeconds != nil { in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds *out = new(float64) @@ -2903,6 +3198,11 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.SecretKeySecretRef != nil { + in, out := &in.SecretKeySecretRef, &out.SecretKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.StsEndpoint != nil { in, out := &in.StsEndpoint, &out.StsEndpoint *out = new(string) @@ -3187,6 +3487,16 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CredentialType != nil { in, out := &in.CredentialType, &out.CredentialType *out = new(string) @@ -3197,6 +3507,11 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(float64) **out = **in } + if in.ExternalID != nil { + in, out := &in.ExternalID, &out.ExternalID + *out = new(string) + **out = **in + } if in.IAMGroups != nil { in, out := &in.IAMGroups, &out.IAMGroups *out = make([]*string, len(*in)) @@ -3208,6 +3523,22 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn } } } + if in.IAMTags != nil { + in, out := &in.IAMTags, &out.IAMTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.MaxStsTTL != nil { in, out := &in.MaxStsTTL, &out.MaxStsTTL *out = new(float64) @@ -3255,6 +3586,22 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn } } } + if in.SessionTags != nil { + in, out := &in.SessionTags, &out.SessionTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.UserPath != nil { in, out := &in.UserPath, &out.UserPath *out = new(string) @@ -3322,6 +3669,11 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser *out = new(float64) **out = **in } + if in.ExternalID != nil { + in, out := &in.ExternalID, &out.ExternalID + *out = new(string) + **out = **in + } if in.IAMGroups != nil { in, out := &in.IAMGroups, &out.IAMGroups *out = make([]*string, len(*in)) @@ -3333,6 +3685,22 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser } } } + if in.IAMTags != nil { + in, out := &in.IAMTags, &out.IAMTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.ID != nil { in, out := &in.ID, &out.ID *out = new(string) @@ -3385,6 +3753,22 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser } } } + if in.SessionTags != nil { + in, out := &in.SessionTags, &out.SessionTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.UserPath != nil { in, out := &in.UserPath, &out.UserPath *out = new(string) @@ -3410,6 +3794,16 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CredentialType != nil { in, out := &in.CredentialType, &out.CredentialType *out = new(string) @@ -3420,6 +3814,11 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(float64) **out = **in } + if in.ExternalID != nil { + in, out := &in.ExternalID, &out.ExternalID + *out = new(string) + **out = **in + } if in.IAMGroups != nil { in, out := &in.IAMGroups, &out.IAMGroups *out = make([]*string, len(*in)) @@ -3431,6 +3830,22 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame } } } + if in.IAMTags != nil { + in, out := &in.IAMTags, &out.IAMTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.MaxStsTTL != nil { in, out := &in.MaxStsTTL, &out.MaxStsTTL *out = new(float64) @@ -3478,6 +3893,22 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame } } } + if in.SessionTags != nil { + in, out := &in.SessionTags, &out.SessionTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.UserPath != nil { in, out := &in.UserPath, &out.UserPath *out = new(string) diff --git a/apis/aws/v1alpha1/zz_generated.managed.go b/apis/aws/v1alpha1/zz_generated.managed.go index 7519b349..97754545 100644 --- a/apis/aws/v1alpha1/zz_generated.managed.go +++ b/apis/aws/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackendCert) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendCert. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendCert) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendCert. func (mg *AuthBackendCert) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackendCert) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendCert. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendCert) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendCert. func (mg *AuthBackendCert) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *AuthBackendClient) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendClient. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendClient) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendClient. func (mg *AuthBackendClient) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *AuthBackendClient) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendClient. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendClient) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendClient. func (mg *AuthBackendClient) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *AuthBackendConfigIdentity) GetProviderConfigReference() *xpv1.Referenc return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendConfigIdentity. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendConfigIdentity) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendConfigIdentity. func (mg *AuthBackendConfigIdentity) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *AuthBackendConfigIdentity) SetProviderConfigReference(r *xpv1.Referenc mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendConfigIdentity. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendConfigIdentity) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendConfigIdentity. func (mg *AuthBackendConfigIdentity) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -255,14 +207,6 @@ func (mg *AuthBackendIdentityWhitelist) GetProviderConfigReference() *xpv1.Refer return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendIdentityWhitelist. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendIdentityWhitelist) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendIdentityWhitelist. func (mg *AuthBackendIdentityWhitelist) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -293,14 +237,6 @@ func (mg *AuthBackendIdentityWhitelist) SetProviderConfigReference(r *xpv1.Refer mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendIdentityWhitelist. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendIdentityWhitelist) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendIdentityWhitelist. func (mg *AuthBackendIdentityWhitelist) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -331,14 +267,6 @@ func (mg *AuthBackendLogin) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendLogin. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendLogin) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendLogin. func (mg *AuthBackendLogin) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -369,14 +297,6 @@ func (mg *AuthBackendLogin) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendLogin. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendLogin) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendLogin. func (mg *AuthBackendLogin) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -407,14 +327,6 @@ func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -445,14 +357,6 @@ func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -483,14 +387,6 @@ func (mg *AuthBackendRoleTag) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRoleTag. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRoleTag) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRoleTag. func (mg *AuthBackendRoleTag) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -521,14 +417,6 @@ func (mg *AuthBackendRoleTag) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRoleTag. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRoleTag) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRoleTag. func (mg *AuthBackendRoleTag) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -559,14 +447,6 @@ func (mg *AuthBackendRoletagBlacklist) GetProviderConfigReference() *xpv1.Refere return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRoletagBlacklist. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRoletagBlacklist) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRoletagBlacklist. func (mg *AuthBackendRoletagBlacklist) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -597,14 +477,6 @@ func (mg *AuthBackendRoletagBlacklist) SetProviderConfigReference(r *xpv1.Refere mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRoletagBlacklist. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRoletagBlacklist) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRoletagBlacklist. func (mg *AuthBackendRoletagBlacklist) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -635,14 +507,6 @@ func (mg *AuthBackendStsRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendStsRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendStsRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendStsRole. func (mg *AuthBackendStsRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -673,14 +537,6 @@ func (mg *AuthBackendStsRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendStsRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendStsRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendStsRole. func (mg *AuthBackendStsRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -711,14 +567,6 @@ func (mg *SecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -749,14 +597,6 @@ func (mg *SecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -787,14 +627,6 @@ func (mg *SecretBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -825,14 +657,6 @@ func (mg *SecretBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/aws/v1alpha1/zz_generated.resolvers.go b/apis/aws/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..51e7362e --- /dev/null +++ b/apis/aws/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,499 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/auth/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this AuthBackendCert. +func (mg *AuthBackendCert) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendClient. +func (mg *AuthBackendClient) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendConfigIdentity. +func (mg *AuthBackendConfigIdentity) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendIdentityWhitelist. +func (mg *AuthBackendIdentityWhitelist) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendLogin. +func (mg *AuthBackendLogin) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Role), + Extract: resource.ExtractParamPath("role", false), + Reference: mg.Spec.ForProvider.RoleRef, + Selector: mg.Spec.ForProvider.RoleSelector, + To: reference.To{ + List: &AuthBackendRoleList{}, + Managed: &AuthBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Role") + } + mg.Spec.ForProvider.Role = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.RoleRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Role), + Extract: resource.ExtractParamPath("role", false), + Reference: mg.Spec.InitProvider.RoleRef, + Selector: mg.Spec.InitProvider.RoleSelector, + To: reference.To{ + List: &AuthBackendRoleList{}, + Managed: &AuthBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Role") + } + mg.Spec.InitProvider.Role = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.RoleRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendRole. +func (mg *AuthBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendRoleTag. +func (mg *AuthBackendRoleTag) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Role), + Extract: resource.ExtractParamPath("role", false), + Reference: mg.Spec.ForProvider.RoleRef, + Selector: mg.Spec.ForProvider.RoleSelector, + To: reference.To{ + List: &AuthBackendRoleList{}, + Managed: &AuthBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Role") + } + mg.Spec.ForProvider.Role = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.RoleRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Role), + Extract: resource.ExtractParamPath("role", false), + Reference: mg.Spec.InitProvider.RoleRef, + Selector: mg.Spec.InitProvider.RoleSelector, + To: reference.To{ + List: &AuthBackendRoleList{}, + Managed: &AuthBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Role") + } + mg.Spec.InitProvider.Role = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.RoleRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendRoletagBlacklist. +func (mg *AuthBackendRoletagBlacklist) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendStsRole. +func (mg *AuthBackendStsRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendRole. +func (mg *SecretBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/aws/v1alpha1/zz_generated_terraformed.go b/apis/aws/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index 049239c6..00000000 --- a/apis/aws/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,938 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendCert -func (mg *AuthBackendCert) GetTerraformResourceType() string { - return "vault_aws_auth_backend_cert" -} - -// GetConnectionDetailsMapping for this AuthBackendCert -func (tr *AuthBackendCert) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendCert -func (tr *AuthBackendCert) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendCert -func (tr *AuthBackendCert) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendCert -func (tr *AuthBackendCert) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendCert -func (tr *AuthBackendCert) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendCert -func (tr *AuthBackendCert) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendCert -func (tr *AuthBackendCert) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendCert using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendCert) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendCertParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendCert) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendClient -func (mg *AuthBackendClient) GetTerraformResourceType() string { - return "vault_aws_auth_backend_client" -} - -// GetConnectionDetailsMapping for this AuthBackendClient -func (tr *AuthBackendClient) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"access_key": "spec.forProvider.accessKeySecretRef", "secret_key": "spec.forProvider.secretKeySecretRef"} -} - -// GetObservation of this AuthBackendClient -func (tr *AuthBackendClient) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendClient -func (tr *AuthBackendClient) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendClient -func (tr *AuthBackendClient) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendClient -func (tr *AuthBackendClient) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendClient -func (tr *AuthBackendClient) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendClient -func (tr *AuthBackendClient) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendClient using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendClient) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendClientParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendClient) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendConfigIdentity -func (mg *AuthBackendConfigIdentity) GetTerraformResourceType() string { - return "vault_aws_auth_backend_config_identity" -} - -// GetConnectionDetailsMapping for this AuthBackendConfigIdentity -func (tr *AuthBackendConfigIdentity) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendConfigIdentity -func (tr *AuthBackendConfigIdentity) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendConfigIdentity -func (tr *AuthBackendConfigIdentity) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendConfigIdentity -func (tr *AuthBackendConfigIdentity) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendConfigIdentity -func (tr *AuthBackendConfigIdentity) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendConfigIdentity -func (tr *AuthBackendConfigIdentity) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendConfigIdentity -func (tr *AuthBackendConfigIdentity) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendConfigIdentity using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendConfigIdentity) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendConfigIdentityParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendConfigIdentity) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendIdentityWhitelist -func (mg *AuthBackendIdentityWhitelist) GetTerraformResourceType() string { - return "vault_aws_auth_backend_identity_whitelist" -} - -// GetConnectionDetailsMapping for this AuthBackendIdentityWhitelist -func (tr *AuthBackendIdentityWhitelist) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendIdentityWhitelist -func (tr *AuthBackendIdentityWhitelist) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendIdentityWhitelist -func (tr *AuthBackendIdentityWhitelist) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendIdentityWhitelist -func (tr *AuthBackendIdentityWhitelist) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendIdentityWhitelist -func (tr *AuthBackendIdentityWhitelist) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendIdentityWhitelist -func (tr *AuthBackendIdentityWhitelist) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendIdentityWhitelist -func (tr *AuthBackendIdentityWhitelist) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendIdentityWhitelist using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendIdentityWhitelist) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendIdentityWhitelistParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendIdentityWhitelist) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendLogin -func (mg *AuthBackendLogin) GetTerraformResourceType() string { - return "vault_aws_auth_backend_login" -} - -// GetConnectionDetailsMapping for this AuthBackendLogin -func (tr *AuthBackendLogin) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"client_token": "status.atProvider.clientToken"} -} - -// GetObservation of this AuthBackendLogin -func (tr *AuthBackendLogin) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendLogin -func (tr *AuthBackendLogin) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendLogin -func (tr *AuthBackendLogin) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendLogin -func (tr *AuthBackendLogin) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendLogin -func (tr *AuthBackendLogin) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendLogin -func (tr *AuthBackendLogin) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendLogin using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendLogin) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendLoginParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendLogin) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole -func (mg *AuthBackendRole) GetTerraformResourceType() string { - return "vault_aws_auth_backend_role" -} - -// GetConnectionDetailsMapping for this AuthBackendRole -func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendRole -func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendRole -func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendRole -func (tr *AuthBackendRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendRole -func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendRole -func (tr *AuthBackendRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendRole -func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendRoleTag -func (mg *AuthBackendRoleTag) GetTerraformResourceType() string { - return "vault_aws_auth_backend_role_tag" -} - -// GetConnectionDetailsMapping for this AuthBackendRoleTag -func (tr *AuthBackendRoleTag) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendRoleTag -func (tr *AuthBackendRoleTag) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendRoleTag -func (tr *AuthBackendRoleTag) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendRoleTag -func (tr *AuthBackendRoleTag) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendRoleTag -func (tr *AuthBackendRoleTag) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendRoleTag -func (tr *AuthBackendRoleTag) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendRoleTag -func (tr *AuthBackendRoleTag) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendRoleTag using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendRoleTag) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendRoleTagParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendRoleTag) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendRoletagBlacklist -func (mg *AuthBackendRoletagBlacklist) GetTerraformResourceType() string { - return "vault_aws_auth_backend_roletag_blacklist" -} - -// GetConnectionDetailsMapping for this AuthBackendRoletagBlacklist -func (tr *AuthBackendRoletagBlacklist) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendRoletagBlacklist -func (tr *AuthBackendRoletagBlacklist) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendRoletagBlacklist -func (tr *AuthBackendRoletagBlacklist) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendRoletagBlacklist -func (tr *AuthBackendRoletagBlacklist) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendRoletagBlacklist -func (tr *AuthBackendRoletagBlacklist) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendRoletagBlacklist -func (tr *AuthBackendRoletagBlacklist) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendRoletagBlacklist -func (tr *AuthBackendRoletagBlacklist) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendRoletagBlacklist using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendRoletagBlacklist) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendRoletagBlacklistParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendRoletagBlacklist) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendStsRole -func (mg *AuthBackendStsRole) GetTerraformResourceType() string { - return "vault_aws_auth_backend_sts_role" -} - -// GetConnectionDetailsMapping for this AuthBackendStsRole -func (tr *AuthBackendStsRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendStsRole -func (tr *AuthBackendStsRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendStsRole -func (tr *AuthBackendStsRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendStsRole -func (tr *AuthBackendStsRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendStsRole -func (tr *AuthBackendStsRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendStsRole -func (tr *AuthBackendStsRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendStsRole -func (tr *AuthBackendStsRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendStsRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendStsRole) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendStsRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendStsRole) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackend -func (mg *SecretBackend) GetTerraformResourceType() string { - return "vault_aws_secret_backend" -} - -// GetConnectionDetailsMapping for this SecretBackend -func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"access_key": "spec.forProvider.accessKeySecretRef", "secret_key": "spec.forProvider.secretKeySecretRef"} -} - -// GetObservation of this SecretBackend -func (tr *SecretBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackend -func (tr *SecretBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackend -func (tr *SecretBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackend -func (tr *SecretBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackend -func (tr *SecretBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackend -func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendRole -func (mg *SecretBackendRole) GetTerraformResourceType() string { - return "vault_aws_secret_backend_role" -} - -// GetConnectionDetailsMapping for this SecretBackendRole -func (tr *SecretBackendRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendRole -func (tr *SecretBackendRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendRole -func (tr *SecretBackendRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendRole -func (tr *SecretBackendRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendRole -func (tr *SecretBackendRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendRole -func (tr *SecretBackendRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendRole -func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendRole) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/aws/v1alpha1/zz_secretbackend_terraformed.go b/apis/aws/v1alpha1/zz_secretbackend_terraformed.go new file mode 100755 index 00000000..1d65b62c --- /dev/null +++ b/apis/aws/v1alpha1/zz_secretbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackend +func (mg *SecretBackend) GetTerraformResourceType() string { + return "vault_aws_secret_backend" +} + +// GetConnectionDetailsMapping for this SecretBackend +func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"access_key": "accessKeySecretRef", "secret_key": "secretKeySecretRef"} +} + +// GetObservation of this SecretBackend +func (tr *SecretBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackend +func (tr *SecretBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackend +func (tr *SecretBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackend +func (tr *SecretBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackend +func (tr *SecretBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/aws/v1alpha1/zz_secretbackend_types.go b/apis/aws/v1alpha1/zz_secretbackend_types.go index 9a291ba0..f3718bce 100755 --- a/apis/aws/v1alpha1/zz_secretbackend_types.go +++ b/apis/aws/v1alpha1/zz_secretbackend_types.go @@ -15,6 +15,11 @@ import ( type SecretBackendInitParameters struct { + // The AWS Access Key ID this backend should use to + // issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. + // The AWS Access Key ID to use when generating new credentials. + AccessKeySecretRef *v1.SecretKeySelector `json:"accessKeySecretRef,omitempty" tf:"-"` + // The default TTL for credentials // issued by this backend. // Default lease duration for secrets in seconds @@ -74,6 +79,11 @@ type SecretBackendInitParameters struct { // Role ARN to assume for plugin identity token federation. RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"` + // The AWS Secret Key this backend should use to + // issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. + // The AWS Secret Access Key to use when generating new credentials. + SecretKeySecretRef *v1.SecretKeySelector `json:"secretKeySecretRef,omitempty" tf:"-"` + // Specifies a custom HTTP STS endpoint to use. // Specifies a custom HTTP STS endpoint to use. StsEndpoint *string `json:"stsEndpoint,omitempty" tf:"sts_endpoint,omitempty"` @@ -256,9 +266,8 @@ type SecretBackendParameters struct { type SecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -277,13 +286,14 @@ type SecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackend is the Schema for the SecretBackends API. Creates an AWS secret backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackend struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/aws/v1alpha1/zz_secretbackendrole_terraformed.go b/apis/aws/v1alpha1/zz_secretbackendrole_terraformed.go new file mode 100755 index 00000000..0611cb94 --- /dev/null +++ b/apis/aws/v1alpha1/zz_secretbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendRole +func (mg *SecretBackendRole) GetTerraformResourceType() string { + return "vault_aws_secret_backend_role" +} + +// GetConnectionDetailsMapping for this SecretBackendRole +func (tr *SecretBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendRole +func (tr *SecretBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendRole +func (tr *SecretBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendRole +func (tr *SecretBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendRole +func (tr *SecretBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/aws/v1alpha1/zz_secretbackendrole_types.go b/apis/aws/v1alpha1/zz_secretbackendrole_types.go index b7172132..800d3f89 100755 --- a/apis/aws/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/aws/v1alpha1/zz_secretbackendrole_types.go @@ -18,8 +18,18 @@ type SecretBackendRoleInitParameters struct { // The path the AWS secret backend is mounted at, // with no leading or trailing /s. // The path of the AWS Secret Backend the role belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/aws/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in aws to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in aws to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Specifies the type of credential to be used when // retrieving credentials from the role. Must be one of iam_user, assumed_role, or // federation_token. @@ -34,6 +44,11 @@ type SecretBackendRoleInitParameters struct { // The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. DefaultStsTTL *float64 `json:"defaultStsTtl,omitempty" tf:"default_sts_ttl,omitempty"` + // External ID to set for assume role creds. + // Valid only when credential_type is set to assumed_role. + // External ID to set for assume role creds. + ExternalID *string `json:"externalId,omitempty" tf:"external_id,omitempty"` + // A list of IAM group names. IAM users generated // against this vault role will be added to these IAM Groups. For a credential // type of assumed_role or federation_token, the policies sent to the @@ -41,8 +56,15 @@ type SecretBackendRoleInitParameters struct { // policies from each group in iam_groups combined with the policy_document // and policy_arns parameters. // A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. + // +listType=set IAMGroups []*string `json:"iamGroups,omitempty" tf:"iam_groups,omitempty"` + // A map of strings representing key/value pairs + // to be used as tags for any IAM user that is created by this role. + // A map of strings representing key/value pairs used as tags for any IAM user created by this role. + // +mapType=granular + IAMTags map[string]*string `json:"iamTags,omitempty" tf:"iam_tags,omitempty"` + // The max allowed TTL in seconds for STS credentials // (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is // one of assumed_role or federation_token. @@ -76,6 +98,7 @@ type SecretBackendRoleInitParameters struct { // federation_token, at least one of policy_document or policy_arns must // be specified. // ARN for an existing IAM policy the role should use. + // +listType=set PolicyArns []*string `json:"policyArns,omitempty" tf:"policy_arns,omitempty"` // The IAM policy document for the role. The @@ -90,8 +113,16 @@ type SecretBackendRoleInitParameters struct { // is allowed to assume. Required when credential_type is assumed_role and // prohibited otherwise. // ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' + // +listType=set RoleArns []*string `json:"roleArns,omitempty" tf:"role_arns,omitempty"` + // A map of strings representing key/value pairs to be set + // during assume role creds creation. Valid only when credential_type is set to + // assumed_role. + // Session tags to be set for assume role creds created. + // +mapType=granular + SessionTags map[string]*string `json:"sessionTags,omitempty" tf:"session_tags,omitempty"` + // The path for the user name. Valid only when // credential_type is iam_user. Default is /. // The path for the user name. Valid only when credential_type is iam_user. Default is / @@ -119,6 +150,11 @@ type SecretBackendRoleObservation struct { // The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. DefaultStsTTL *float64 `json:"defaultStsTtl,omitempty" tf:"default_sts_ttl,omitempty"` + // External ID to set for assume role creds. + // Valid only when credential_type is set to assumed_role. + // External ID to set for assume role creds. + ExternalID *string `json:"externalId,omitempty" tf:"external_id,omitempty"` + // A list of IAM group names. IAM users generated // against this vault role will be added to these IAM Groups. For a credential // type of assumed_role or federation_token, the policies sent to the @@ -126,8 +162,15 @@ type SecretBackendRoleObservation struct { // policies from each group in iam_groups combined with the policy_document // and policy_arns parameters. // A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. + // +listType=set IAMGroups []*string `json:"iamGroups,omitempty" tf:"iam_groups,omitempty"` + // A map of strings representing key/value pairs + // to be used as tags for any IAM user that is created by this role. + // A map of strings representing key/value pairs used as tags for any IAM user created by this role. + // +mapType=granular + IAMTags map[string]*string `json:"iamTags,omitempty" tf:"iam_tags,omitempty"` + ID *string `json:"id,omitempty" tf:"id,omitempty"` // The max allowed TTL in seconds for STS credentials @@ -163,6 +206,7 @@ type SecretBackendRoleObservation struct { // federation_token, at least one of policy_document or policy_arns must // be specified. // ARN for an existing IAM policy the role should use. + // +listType=set PolicyArns []*string `json:"policyArns,omitempty" tf:"policy_arns,omitempty"` // The IAM policy document for the role. The @@ -177,8 +221,16 @@ type SecretBackendRoleObservation struct { // is allowed to assume. Required when credential_type is assumed_role and // prohibited otherwise. // ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' + // +listType=set RoleArns []*string `json:"roleArns,omitempty" tf:"role_arns,omitempty"` + // A map of strings representing key/value pairs to be set + // during assume role creds creation. Valid only when credential_type is set to + // assumed_role. + // Session tags to be set for assume role creds created. + // +mapType=granular + SessionTags map[string]*string `json:"sessionTags,omitempty" tf:"session_tags,omitempty"` + // The path for the user name. Valid only when // credential_type is iam_user. Default is /. // The path for the user name. Valid only when credential_type is iam_user. Default is / @@ -190,9 +242,19 @@ type SecretBackendRoleParameters struct { // The path the AWS secret backend is mounted at, // with no leading or trailing /s. // The path of the AWS Secret Backend the role belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/aws/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in aws to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in aws to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Specifies the type of credential to be used when // retrieving credentials from the role. Must be one of iam_user, assumed_role, or // federation_token. @@ -209,6 +271,12 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional DefaultStsTTL *float64 `json:"defaultStsTtl,omitempty" tf:"default_sts_ttl,omitempty"` + // External ID to set for assume role creds. + // Valid only when credential_type is set to assumed_role. + // External ID to set for assume role creds. + // +kubebuilder:validation:Optional + ExternalID *string `json:"externalId,omitempty" tf:"external_id,omitempty"` + // A list of IAM group names. IAM users generated // against this vault role will be added to these IAM Groups. For a credential // type of assumed_role or federation_token, the policies sent to the @@ -217,8 +285,16 @@ type SecretBackendRoleParameters struct { // and policy_arns parameters. // A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. // +kubebuilder:validation:Optional + // +listType=set IAMGroups []*string `json:"iamGroups,omitempty" tf:"iam_groups,omitempty"` + // A map of strings representing key/value pairs + // to be used as tags for any IAM user that is created by this role. + // A map of strings representing key/value pairs used as tags for any IAM user created by this role. + // +kubebuilder:validation:Optional + // +mapType=granular + IAMTags map[string]*string `json:"iamTags,omitempty" tf:"iam_tags,omitempty"` + // The max allowed TTL in seconds for STS credentials // (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is // one of assumed_role or federation_token. @@ -257,6 +333,7 @@ type SecretBackendRoleParameters struct { // be specified. // ARN for an existing IAM policy the role should use. // +kubebuilder:validation:Optional + // +listType=set PolicyArns []*string `json:"policyArns,omitempty" tf:"policy_arns,omitempty"` // The IAM policy document for the role. The @@ -273,8 +350,17 @@ type SecretBackendRoleParameters struct { // prohibited otherwise. // ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' // +kubebuilder:validation:Optional + // +listType=set RoleArns []*string `json:"roleArns,omitempty" tf:"role_arns,omitempty"` + // A map of strings representing key/value pairs to be set + // during assume role creds creation. Valid only when credential_type is set to + // assumed_role. + // Session tags to be set for assume role creds created. + // +kubebuilder:validation:Optional + // +mapType=granular + SessionTags map[string]*string `json:"sessionTags,omitempty" tf:"session_tags,omitempty"` + // The path for the user name. Valid only when // credential_type is iam_user. Default is /. // The path for the user name. Valid only when credential_type is iam_user. Default is / @@ -286,9 +372,8 @@ type SecretBackendRoleParameters struct { type SecretBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -307,20 +392,20 @@ type SecretBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendRole is the Schema for the SecretBackendRoles API. Creates a role on an AWS Secret Backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.credentialType) || has(self.initProvider.credentialType)",message="credentialType is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.credentialType) || (has(self.initProvider) && has(self.initProvider.credentialType))",message="spec.forProvider.credentialType is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec SecretBackendRoleSpec `json:"spec"` Status SecretBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/azure/v1alpha1/zz_authbackendconfig_terraformed.go b/apis/azure/v1alpha1/zz_authbackendconfig_terraformed.go new file mode 100755 index 00000000..41d280fc --- /dev/null +++ b/apis/azure/v1alpha1/zz_authbackendconfig_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendConfig +func (mg *AuthBackendConfig) GetTerraformResourceType() string { + return "vault_azure_auth_backend_config" +} + +// GetConnectionDetailsMapping for this AuthBackendConfig +func (tr *AuthBackendConfig) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"client_id": "clientIdSecretRef", "client_secret": "clientSecretSecretRef", "tenant_id": "tenantIdSecretRef"} +} + +// GetObservation of this AuthBackendConfig +func (tr *AuthBackendConfig) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendConfig +func (tr *AuthBackendConfig) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendConfig +func (tr *AuthBackendConfig) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendConfig +func (tr *AuthBackendConfig) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendConfig +func (tr *AuthBackendConfig) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendConfig +func (tr *AuthBackendConfig) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendConfig +func (tr *AuthBackendConfig) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendConfig using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendConfig) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendConfigParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendConfig) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/azure/v1alpha1/zz_authbackendconfig_types.go b/apis/azure/v1alpha1/zz_authbackendconfig_types.go index a842f6b6..92e86d30 100755 --- a/apis/azure/v1alpha1/zz_authbackendconfig_types.go +++ b/apis/azure/v1alpha1/zz_authbackendconfig_types.go @@ -18,14 +18,45 @@ type AuthBackendConfigInitParameters struct { // The path the Azure auth backend being configured was // mounted at. Defaults to azure. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + + // The client id for credentials to query the Azure APIs. + // Currently read permissions to query compute resources are required. + // The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. + ClientIDSecretRef *v1.SecretKeySelector `json:"clientIdSecretRef,omitempty" tf:"-"` + + // The client secret for credentials to query the + // Azure APIs. + // The client secret for credentials to query the Azure APIs + ClientSecretSecretRef *v1.SecretKeySelector `json:"clientSecretSecretRef,omitempty" tf:"-"` + // The Azure cloud environment. Valid values: // AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, // AzureGermanCloud. Defaults to AzurePublicCloud. // The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Environment *string `json:"environment,omitempty" tf:"environment,omitempty"` + // The audience claim value for plugin identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. + // Defaults to 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -37,6 +68,11 @@ type AuthBackendConfigInitParameters struct { // Azure Active Directory. // The configured URL for the application registered in Azure Active Directory. Resource *string `json:"resource,omitempty" tf:"resource,omitempty"` + + // The tenant id for the Azure Active Directory + // organization. + // The tenant id for the Azure Active Directory organization. + TenantIDSecretRef v1.SecretKeySelector `json:"tenantIdSecretRef" tf:"-"` } type AuthBackendConfigObservation struct { @@ -54,6 +90,17 @@ type AuthBackendConfigObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value for plugin identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. + // Defaults to 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -72,9 +119,19 @@ type AuthBackendConfigParameters struct { // The path the Azure auth backend being configured was // mounted at. Defaults to azure. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The client id for credentials to query the Azure APIs. // Currently read permissions to query compute resources are required. // The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. @@ -94,6 +151,19 @@ type AuthBackendConfigParameters struct { // +kubebuilder:validation:Optional Environment *string `json:"environment,omitempty" tf:"environment,omitempty"` + // The audience claim value for plugin identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. + // Defaults to 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -119,9 +189,8 @@ type AuthBackendConfigParameters struct { type AuthBackendConfigSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendConfigParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -140,19 +209,20 @@ type AuthBackendConfigStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendConfig is the Schema for the AuthBackendConfigs API. Configures the Azure Auth Backend in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendConfig struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.resource) || has(self.initProvider.resource)",message="resource is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.tenantIdSecretRef)",message="tenantIdSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.resource) || (has(self.initProvider) && has(self.initProvider.resource))",message="spec.forProvider.resource is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.tenantIdSecretRef)",message="spec.forProvider.tenantIdSecretRef is a required parameter" Spec AuthBackendConfigSpec `json:"spec"` Status AuthBackendConfigStatus `json:"status,omitempty"` } diff --git a/apis/azure/v1alpha1/zz_authbackendrole_terraformed.go b/apis/azure/v1alpha1/zz_authbackendrole_terraformed.go new file mode 100755 index 00000000..c8dc1e0d --- /dev/null +++ b/apis/azure/v1alpha1/zz_authbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole +func (mg *AuthBackendRole) GetTerraformResourceType() string { + return "vault_azure_auth_backend_role" +} + +// GetConnectionDetailsMapping for this AuthBackendRole +func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendRole +func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendRole +func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendRole +func (tr *AuthBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendRole +func (tr *AuthBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/azure/v1alpha1/zz_authbackendrole_types.go b/apis/azure/v1alpha1/zz_authbackendrole_types.go index a61a34e0..cfee223d 100755 --- a/apis/azure/v1alpha1/zz_authbackendrole_types.go +++ b/apis/azure/v1alpha1/zz_authbackendrole_types.go @@ -16,8 +16,18 @@ import ( type AuthBackendRoleInitParameters struct { // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set, defines a constraint on the groups // that can perform the login operation that they should be using the group // ID specified by this field. @@ -69,6 +79,7 @@ type AuthBackendRoleInitParameters struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -103,6 +114,7 @@ type AuthBackendRoleInitParameters struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -177,6 +189,7 @@ type AuthBackendRoleObservation struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -211,6 +224,7 @@ type AuthBackendRoleObservation struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -230,9 +244,19 @@ type AuthBackendRoleObservation struct { type AuthBackendRoleParameters struct { // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // If set, defines a constraint on the groups // that can perform the login operation that they should be using the group // ID specified by this field. @@ -293,6 +317,7 @@ type AuthBackendRoleParameters struct { // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -333,6 +358,7 @@ type AuthBackendRoleParameters struct { // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -355,9 +381,8 @@ type AuthBackendRoleParameters struct { type AuthBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -376,18 +401,19 @@ type AuthBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRole is the Schema for the AuthBackendRoles API. Manages Azure auth backend roles in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || (has(self.initProvider) && has(self.initProvider.role))",message="spec.forProvider.role is a required parameter" Spec AuthBackendRoleSpec `json:"spec"` Status AuthBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/azure/v1alpha1/zz_generated.conversion_hubs.go b/apis/azure/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..6bb6a2e6 --- /dev/null +++ b/apis/azure/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,19 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendConfig) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendRole) Hub() {} diff --git a/apis/azure/v1alpha1/zz_generated.deepcopy.go b/apis/azure/v1alpha1/zz_generated.deepcopy.go index 595801e2..e86c964d 100644 --- a/apis/azure/v1alpha1/zz_generated.deepcopy.go +++ b/apis/azure/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -49,11 +48,41 @@ func (in *AuthBackendConfigInitParameters) DeepCopyInto(out *AuthBackendConfigIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.ClientIDSecretRef != nil { + in, out := &in.ClientIDSecretRef, &out.ClientIDSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.ClientSecretSecretRef != nil { + in, out := &in.ClientSecretSecretRef, &out.ClientSecretSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Environment != nil { in, out := &in.Environment, &out.Environment *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -64,6 +93,7 @@ func (in *AuthBackendConfigInitParameters) DeepCopyInto(out *AuthBackendConfigIn *out = new(string) **out = **in } + out.TenantIDSecretRef = in.TenantIDSecretRef } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigInitParameters. @@ -126,6 +156,16 @@ func (in *AuthBackendConfigObservation) DeepCopyInto(out *AuthBackendConfigObser *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -156,6 +196,16 @@ func (in *AuthBackendConfigParameters) DeepCopyInto(out *AuthBackendConfigParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.ClientIDSecretRef != nil { in, out := &in.ClientIDSecretRef, &out.ClientIDSecretRef *out = new(v1.SecretKeySelector) @@ -171,6 +221,16 @@ func (in *AuthBackendConfigParameters) DeepCopyInto(out *AuthBackendConfigParame *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -264,6 +324,16 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BoundGroupIds != nil { in, out := &in.BoundGroupIds, &out.BoundGroupIds *out = make([]*string, len(*in)) @@ -607,6 +677,16 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BoundGroupIds != nil { in, out := &in.BoundGroupIds, &out.BoundGroupIds *out = make([]*string, len(*in)) @@ -972,6 +1052,16 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) { *out = *in + if in.ClientIDSecretRef != nil { + in, out := &in.ClientIDSecretRef, &out.ClientIDSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.ClientSecretSecretRef != nil { + in, out := &in.ClientSecretSecretRef, &out.ClientSecretSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -987,6 +1077,21 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -997,6 +1102,8 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + out.SubscriptionIDSecretRef = in.SubscriptionIDSecretRef + out.TenantIDSecretRef = in.TenantIDSecretRef if in.UseMicrosoftGraphAPI != nil { in, out := &in.UseMicrosoftGraphAPI, &out.UseMicrosoftGraphAPI *out = new(bool) @@ -1069,6 +1176,21 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -1124,6 +1246,21 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -1207,6 +1344,16 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -1414,6 +1561,16 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) diff --git a/apis/azure/v1alpha1/zz_generated.managed.go b/apis/azure/v1alpha1/zz_generated.managed.go index 84919699..b73e6e6f 100644 --- a/apis/azure/v1alpha1/zz_generated.managed.go +++ b/apis/azure/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackendConfig) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendConfig. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendConfig) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendConfig. func (mg *AuthBackendConfig) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackendConfig) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendConfig. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendConfig) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendConfig. func (mg *AuthBackendConfig) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *SecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *SecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -255,14 +207,6 @@ func (mg *SecretBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -293,14 +237,6 @@ func (mg *SecretBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/azure/v1alpha1/zz_generated.resolvers.go b/apis/azure/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..ead4d846 --- /dev/null +++ b/apis/azure/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,141 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/auth/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this AuthBackendConfig. +func (mg *AuthBackendConfig) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendRole. +func (mg *AuthBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendRole. +func (mg *SecretBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/azure/v1alpha1/zz_generated_terraformed.go b/apis/azure/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index b2a603b9..00000000 --- a/apis/azure/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,350 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendConfig -func (mg *AuthBackendConfig) GetTerraformResourceType() string { - return "vault_azure_auth_backend_config" -} - -// GetConnectionDetailsMapping for this AuthBackendConfig -func (tr *AuthBackendConfig) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"client_id": "spec.forProvider.clientIdSecretRef", "client_secret": "spec.forProvider.clientSecretSecretRef", "tenant_id": "spec.forProvider.tenantIdSecretRef"} -} - -// GetObservation of this AuthBackendConfig -func (tr *AuthBackendConfig) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendConfig -func (tr *AuthBackendConfig) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendConfig -func (tr *AuthBackendConfig) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendConfig -func (tr *AuthBackendConfig) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendConfig -func (tr *AuthBackendConfig) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendConfig -func (tr *AuthBackendConfig) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendConfig using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendConfig) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendConfigParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendConfig) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole -func (mg *AuthBackendRole) GetTerraformResourceType() string { - return "vault_azure_auth_backend_role" -} - -// GetConnectionDetailsMapping for this AuthBackendRole -func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendRole -func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendRole -func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendRole -func (tr *AuthBackendRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendRole -func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendRole -func (tr *AuthBackendRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendRole -func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackend -func (mg *SecretBackend) GetTerraformResourceType() string { - return "vault_azure_secret_backend" -} - -// GetConnectionDetailsMapping for this SecretBackend -func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"client_id": "spec.forProvider.clientIdSecretRef", "client_secret": "spec.forProvider.clientSecretSecretRef", "subscription_id": "spec.forProvider.subscriptionIdSecretRef", "tenant_id": "spec.forProvider.tenantIdSecretRef"} -} - -// GetObservation of this SecretBackend -func (tr *SecretBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackend -func (tr *SecretBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackend -func (tr *SecretBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackend -func (tr *SecretBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackend -func (tr *SecretBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackend -func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendRole -func (mg *SecretBackendRole) GetTerraformResourceType() string { - return "vault_azure_secret_backend_role" -} - -// GetConnectionDetailsMapping for this SecretBackendRole -func (tr *SecretBackendRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendRole -func (tr *SecretBackendRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendRole -func (tr *SecretBackendRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendRole -func (tr *SecretBackendRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendRole -func (tr *SecretBackendRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendRole -func (tr *SecretBackendRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendRole -func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendRole) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/azure/v1alpha1/zz_secretbackend_terraformed.go b/apis/azure/v1alpha1/zz_secretbackend_terraformed.go new file mode 100755 index 00000000..1124fdc1 --- /dev/null +++ b/apis/azure/v1alpha1/zz_secretbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackend +func (mg *SecretBackend) GetTerraformResourceType() string { + return "vault_azure_secret_backend" +} + +// GetConnectionDetailsMapping for this SecretBackend +func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"client_id": "clientIdSecretRef", "client_secret": "clientSecretSecretRef", "subscription_id": "subscriptionIdSecretRef", "tenant_id": "tenantIdSecretRef"} +} + +// GetObservation of this SecretBackend +func (tr *SecretBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackend +func (tr *SecretBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackend +func (tr *SecretBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackend +func (tr *SecretBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackend +func (tr *SecretBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/azure/v1alpha1/zz_secretbackend_types.go b/apis/azure/v1alpha1/zz_secretbackend_types.go index b5a3ed19..63c4ccf5 100755 --- a/apis/azure/v1alpha1/zz_secretbackend_types.go +++ b/apis/azure/v1alpha1/zz_secretbackend_types.go @@ -15,6 +15,14 @@ import ( type SecretBackendInitParameters struct { + // The OAuth2 client id to connect to Azure. + // The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. + ClientIDSecretRef *v1.SecretKeySelector `json:"clientIdSecretRef,omitempty" tf:"-"` + + // The OAuth2 client secret to connect to Azure. + // The client secret for credentials to query the Azure APIs + ClientSecretSecretRef *v1.SecretKeySelector `json:"clientSecretSecretRef,omitempty" tf:"-"` + // Human-friendly description of the mount for the backend. Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -27,6 +35,21 @@ type SecretBackendInitParameters struct { // The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Environment *string `json:"environment,omitempty" tf:"environment,omitempty"` + // The audience claim value. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -38,6 +61,14 @@ type SecretBackendInitParameters struct { // Path to mount the backend at. Path *string `json:"path,omitempty" tf:"path,omitempty"` + // The subscription id for the Azure Active Directory. + // The subscription id for the Azure Active Directory. + SubscriptionIDSecretRef v1.SecretKeySelector `json:"subscriptionIdSecretRef" tf:"-"` + + // The tenant id for the Azure Active Directory. + // The tenant id for the Azure Active Directory organization. + TenantIDSecretRef v1.SecretKeySelector `json:"tenantIdSecretRef" tf:"-"` + // Indicates whether the secrets engine should use // the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+. // For more information, please refer to the Vault docs @@ -61,6 +92,21 @@ type SecretBackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -106,6 +152,24 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional Environment *string `json:"environment,omitempty" tf:"environment,omitempty"` + // The audience claim value. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The key to use for signing identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -141,9 +205,8 @@ type SecretBackendParameters struct { type SecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -162,19 +225,20 @@ type SecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackend is the Schema for the SecretBackends API. Creates an azure secret backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.subscriptionIdSecretRef)",message="subscriptionIdSecretRef is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.tenantIdSecretRef)",message="tenantIdSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.subscriptionIdSecretRef)",message="spec.forProvider.subscriptionIdSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.tenantIdSecretRef)",message="spec.forProvider.tenantIdSecretRef is a required parameter" Spec SecretBackendSpec `json:"spec"` Status SecretBackendStatus `json:"status,omitempty"` } diff --git a/apis/azure/v1alpha1/zz_secretbackendrole_terraformed.go b/apis/azure/v1alpha1/zz_secretbackendrole_terraformed.go new file mode 100755 index 00000000..4147d3af --- /dev/null +++ b/apis/azure/v1alpha1/zz_secretbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendRole +func (mg *SecretBackendRole) GetTerraformResourceType() string { + return "vault_azure_secret_backend_role" +} + +// GetConnectionDetailsMapping for this SecretBackendRole +func (tr *SecretBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendRole +func (tr *SecretBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendRole +func (tr *SecretBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendRole +func (tr *SecretBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendRole +func (tr *SecretBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/azure/v1alpha1/zz_secretbackendrole_types.go b/apis/azure/v1alpha1/zz_secretbackendrole_types.go index 846c5389..7590cf08 100755 --- a/apis/azure/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/azure/v1alpha1/zz_secretbackendrole_types.go @@ -26,7 +26,7 @@ type AzureGroupsObservation struct { type AzureGroupsParameters struct { // +kubebuilder:validation:Optional - GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"` + GroupName *string `json:"groupName" tf:"group_name,omitempty"` } type AzureRolesInitParameters struct { @@ -54,7 +54,7 @@ type AzureRolesParameters struct { RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` // +kubebuilder:validation:Optional - Scope *string `json:"scope,omitempty" tf:"scope,omitempty"` + Scope *string `json:"scope" tf:"scope,omitempty"` } type SecretBackendRoleInitParameters struct { @@ -72,8 +72,18 @@ type SecretBackendRoleInitParameters struct { // Path to the mounted Azure auth backend // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/azure/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in azure to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in azure to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Human-friendly description of the mount for the backend. Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -189,9 +199,19 @@ type SecretBackendRoleParameters struct { // Path to the mounted Azure auth backend // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/azure/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in azure to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in azure to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Human-friendly description of the mount for the backend. // +kubebuilder:validation:Optional Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -243,9 +263,8 @@ type SecretBackendRoleParameters struct { type SecretBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -264,18 +283,19 @@ type SecretBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendRole is the Schema for the SecretBackendRoles API. Creates an azure secret backend role for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || (has(self.initProvider) && has(self.initProvider.role))",message="spec.forProvider.role is a required parameter" Spec SecretBackendRoleSpec `json:"spec"` Status SecretBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/cert/v1alpha1/zz_generated_terraformed.go b/apis/cert/v1alpha1/zz_authbackendrole_terraformed.go similarity index 70% rename from apis/cert/v1alpha1/zz_generated_terraformed.go rename to apis/cert/v1alpha1/zz_authbackendrole_terraformed.go index ed335fd8..199cf9e6 100755 --- a/apis/cert/v1alpha1/zz_generated_terraformed.go +++ b/apis/cert/v1alpha1/zz_authbackendrole_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this AuthBackendRole @@ -79,6 +80,36 @@ func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this AuthBackendRole using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/cert/v1alpha1/zz_authbackendrole_types.go b/apis/cert/v1alpha1/zz_authbackendrole_types.go index e8beb98f..0e116bfb 100755 --- a/apis/cert/v1alpha1/zz_authbackendrole_types.go +++ b/apis/cert/v1alpha1/zz_authbackendrole_types.go @@ -14,18 +14,23 @@ import ( ) type AuthBackendRoleInitParameters struct { + + // +listType=set AllowedCommonNames []*string `json:"allowedCommonNames,omitempty" tf:"allowed_common_names,omitempty"` + // +listType=set AllowedDNSSans []*string `json:"allowedDnsSans,omitempty" tf:"allowed_dns_sans,omitempty"` + // +listType=set AllowedEmailSans []*string `json:"allowedEmailSans,omitempty" tf:"allowed_email_sans,omitempty"` + // +listType=set AllowedNames []*string `json:"allowedNames,omitempty" tf:"allowed_names,omitempty"` - AllowedOrganizationUnits []*string `json:"allowedOrganizationUnits,omitempty" tf:"allowed_organization_units,omitempty"` - + // +listType=set AllowedOrganizationalUnits []*string `json:"allowedOrganizationalUnits,omitempty" tf:"allowed_organizational_units,omitempty"` + // +listType=set AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"` Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` @@ -52,11 +57,14 @@ type AuthBackendRoleInitParameters struct { OcspQueryAllServers *bool `json:"ocspQueryAllServers,omitempty" tf:"ocsp_query_all_servers,omitempty"` // A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. + // +listType=set OcspServersOverride []*string `json:"ocspServersOverride,omitempty" tf:"ocsp_servers_override,omitempty"` + // +listType=set RequiredExtensions []*string `json:"requiredExtensions,omitempty" tf:"required_extensions,omitempty"` // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // Generated Token's Explicit Maximum TTL in seconds @@ -75,6 +83,7 @@ type AuthBackendRoleInitParameters struct { TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The initial ttl of the token to generate in seconds @@ -85,18 +94,23 @@ type AuthBackendRoleInitParameters struct { } type AuthBackendRoleObservation struct { + + // +listType=set AllowedCommonNames []*string `json:"allowedCommonNames,omitempty" tf:"allowed_common_names,omitempty"` + // +listType=set AllowedDNSSans []*string `json:"allowedDnsSans,omitempty" tf:"allowed_dns_sans,omitempty"` + // +listType=set AllowedEmailSans []*string `json:"allowedEmailSans,omitempty" tf:"allowed_email_sans,omitempty"` + // +listType=set AllowedNames []*string `json:"allowedNames,omitempty" tf:"allowed_names,omitempty"` - AllowedOrganizationUnits []*string `json:"allowedOrganizationUnits,omitempty" tf:"allowed_organization_units,omitempty"` - + // +listType=set AllowedOrganizationalUnits []*string `json:"allowedOrganizationalUnits,omitempty" tf:"allowed_organizational_units,omitempty"` + // +listType=set AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"` Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` @@ -125,11 +139,14 @@ type AuthBackendRoleObservation struct { OcspQueryAllServers *bool `json:"ocspQueryAllServers,omitempty" tf:"ocsp_query_all_servers,omitempty"` // A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. + // +listType=set OcspServersOverride []*string `json:"ocspServersOverride,omitempty" tf:"ocsp_servers_override,omitempty"` + // +listType=set RequiredExtensions []*string `json:"requiredExtensions,omitempty" tf:"required_extensions,omitempty"` // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // Generated Token's Explicit Maximum TTL in seconds @@ -148,6 +165,7 @@ type AuthBackendRoleObservation struct { TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The initial ttl of the token to generate in seconds @@ -160,24 +178,27 @@ type AuthBackendRoleObservation struct { type AuthBackendRoleParameters struct { // +kubebuilder:validation:Optional + // +listType=set AllowedCommonNames []*string `json:"allowedCommonNames,omitempty" tf:"allowed_common_names,omitempty"` // +kubebuilder:validation:Optional + // +listType=set AllowedDNSSans []*string `json:"allowedDnsSans,omitempty" tf:"allowed_dns_sans,omitempty"` // +kubebuilder:validation:Optional + // +listType=set AllowedEmailSans []*string `json:"allowedEmailSans,omitempty" tf:"allowed_email_sans,omitempty"` // +kubebuilder:validation:Optional + // +listType=set AllowedNames []*string `json:"allowedNames,omitempty" tf:"allowed_names,omitempty"` // +kubebuilder:validation:Optional - AllowedOrganizationUnits []*string `json:"allowedOrganizationUnits,omitempty" tf:"allowed_organization_units,omitempty"` - - // +kubebuilder:validation:Optional + // +listType=set AllowedOrganizationalUnits []*string `json:"allowedOrganizationalUnits,omitempty" tf:"allowed_organizational_units,omitempty"` // +kubebuilder:validation:Optional + // +listType=set AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"` // +kubebuilder:validation:Optional @@ -214,13 +235,16 @@ type AuthBackendRoleParameters struct { // A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. // +kubebuilder:validation:Optional + // +listType=set OcspServersOverride []*string `json:"ocspServersOverride,omitempty" tf:"ocsp_servers_override,omitempty"` // +kubebuilder:validation:Optional + // +listType=set RequiredExtensions []*string `json:"requiredExtensions,omitempty" tf:"required_extensions,omitempty"` // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // Generated Token's Explicit Maximum TTL in seconds @@ -245,6 +269,7 @@ type AuthBackendRoleParameters struct { // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The initial ttl of the token to generate in seconds @@ -260,9 +285,8 @@ type AuthBackendRoleParameters struct { type AuthBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -281,19 +305,20 @@ type AuthBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRole is the Schema for the AuthBackendRoles API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.certificate) || has(self.initProvider.certificate)",message="certificate is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.certificate) || (has(self.initProvider) && has(self.initProvider.certificate))",message="spec.forProvider.certificate is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec AuthBackendRoleSpec `json:"spec"` Status AuthBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/cert/v1alpha1/zz_generated.conversion_hubs.go b/apis/cert/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..ee678741 --- /dev/null +++ b/apis/cert/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} diff --git a/apis/cert/v1alpha1/zz_generated.deepcopy.go b/apis/cert/v1alpha1/zz_generated.deepcopy.go index 31654b24..c31eea42 100644 --- a/apis/cert/v1alpha1/zz_generated.deepcopy.go +++ b/apis/cert/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -87,17 +86,6 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa } } } - if in.AllowedOrganizationUnits != nil { - in, out := &in.AllowedOrganizationUnits, &out.AllowedOrganizationUnits - *out = make([]*string, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(string) - **out = **in - } - } - } if in.AllowedOrganizationalUnits != nil { in, out := &in.AllowedOrganizationalUnits, &out.AllowedOrganizationalUnits *out = make([]*string, len(*in)) @@ -335,17 +323,6 @@ func (in *AuthBackendRoleObservation) DeepCopyInto(out *AuthBackendRoleObservati } } } - if in.AllowedOrganizationUnits != nil { - in, out := &in.AllowedOrganizationUnits, &out.AllowedOrganizationUnits - *out = make([]*string, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(string) - **out = **in - } - } - } if in.AllowedOrganizationalUnits != nil { in, out := &in.AllowedOrganizationalUnits, &out.AllowedOrganizationalUnits *out = make([]*string, len(*in)) @@ -556,17 +533,6 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters } } } - if in.AllowedOrganizationUnits != nil { - in, out := &in.AllowedOrganizationUnits, &out.AllowedOrganizationUnits - *out = make([]*string, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(string) - **out = **in - } - } - } if in.AllowedOrganizationalUnits != nil { in, out := &in.AllowedOrganizationalUnits, &out.AllowedOrganizationalUnits *out = make([]*string, len(*in)) diff --git a/apis/cert/v1alpha1/zz_generated.managed.go b/apis/cert/v1alpha1/zz_generated.managed.go index 836c358b..e2e30b5e 100644 --- a/apis/cert/v1alpha1/zz_generated.managed.go +++ b/apis/cert/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/consul/v1alpha1/zz_generated.conversion_hubs.go b/apis/consul/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..bd5a0ce0 --- /dev/null +++ b/apis/consul/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,13 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *SecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendRole) Hub() {} diff --git a/apis/consul/v1alpha1/zz_generated.deepcopy.go b/apis/consul/v1alpha1/zz_generated.deepcopy.go index 0bb69d13..ac50b99f 100644 --- a/apis/consul/v1alpha1/zz_generated.deepcopy.go +++ b/apis/consul/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -59,6 +58,16 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.ClientCertSecretRef != nil { + in, out := &in.ClientCertSecretRef, &out.ClientCertSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.ClientKeySecretRef != nil { + in, out := &in.ClientKeySecretRef, &out.ClientKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.DefaultLeaseTTLSeconds != nil { in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds *out = new(float64) @@ -99,6 +108,11 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.TokenSecretRef != nil { + in, out := &in.TokenSecretRef, &out.TokenSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters. @@ -338,6 +352,16 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.ConsulNamespace != nil { in, out := &in.ConsulNamespace, &out.ConsulNamespace *out = new(string) @@ -428,11 +452,6 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(float64) **out = **in } - if in.TokenType != nil { - in, out := &in.TokenType, &out.TokenType - *out = new(string) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters. @@ -580,11 +599,6 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser *out = new(float64) **out = **in } - if in.TokenType != nil { - in, out := &in.TokenType, &out.TokenType - *out = new(string) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleObservation. @@ -605,6 +619,16 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.ConsulNamespace != nil { in, out := &in.ConsulNamespace, &out.ConsulNamespace *out = new(string) @@ -695,11 +719,6 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(float64) **out = **in } - if in.TokenType != nil { - in, out := &in.TokenType, &out.TokenType - *out = new(string) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleParameters. diff --git a/apis/consul/v1alpha1/zz_generated.managed.go b/apis/consul/v1alpha1/zz_generated.managed.go index d73589a2..c96d3bed 100644 --- a/apis/consul/v1alpha1/zz_generated.managed.go +++ b/apis/consul/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *SecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *SecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SecretBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SecretBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/consul/v1alpha1/zz_generated.resolvers.go b/apis/consul/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..e48613cc --- /dev/null +++ b/apis/consul/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,56 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretBackendRole. +func (mg *SecretBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/consul/v1alpha1/zz_secretbackend_terraformed.go b/apis/consul/v1alpha1/zz_secretbackend_terraformed.go new file mode 100755 index 00000000..571f619e --- /dev/null +++ b/apis/consul/v1alpha1/zz_secretbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackend +func (mg *SecretBackend) GetTerraformResourceType() string { + return "vault_consul_secret_backend" +} + +// GetConnectionDetailsMapping for this SecretBackend +func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"client_cert": "clientCertSecretRef", "client_key": "clientKeySecretRef", "token": "tokenSecretRef"} +} + +// GetObservation of this SecretBackend +func (tr *SecretBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackend +func (tr *SecretBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackend +func (tr *SecretBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackend +func (tr *SecretBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackend +func (tr *SecretBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/consul/v1alpha1/zz_secretbackend_types.go b/apis/consul/v1alpha1/zz_secretbackend_types.go index 236faa34..7f74e5c9 100755 --- a/apis/consul/v1alpha1/zz_secretbackend_types.go +++ b/apis/consul/v1alpha1/zz_secretbackend_types.go @@ -27,6 +27,16 @@ type SecretBackendInitParameters struct { // CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"` + // Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if + // this is set you need to also set client_key. + // Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key. + ClientCertSecretRef *v1.SecretKeySelector `json:"clientCertSecretRef,omitempty" tf:"-"` + + // Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set + // you need to also set client_cert. + // Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. + ClientKeySecretRef *v1.SecretKeySelector `json:"clientKeySecretRef,omitempty" tf:"-"` + // The default TTL for credentials issued by this backend. // Default lease duration for secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` @@ -64,6 +74,11 @@ type SecretBackendInitParameters struct { // Specifies the URL scheme to use. Defaults to http. // Specifies the URL scheme to use. Defaults to "http". Scheme *string `json:"scheme,omitempty" tf:"scheme,omitempty"` + + // The Consul management token this backend should use to issue new tokens. This field is required + // when bootstrap is false. + // Specifies the Consul token to use when managing or issuing new tokens. + TokenSecretRef *v1.SecretKeySelector `json:"tokenSecretRef,omitempty" tf:"-"` } type SecretBackendObservation struct { @@ -207,9 +222,8 @@ type SecretBackendParameters struct { type SecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -228,18 +242,19 @@ type SecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackend is the Schema for the SecretBackends API. Creates a Consul secret backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.address) || has(self.initProvider.address)",message="address is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.address) || (has(self.initProvider) && has(self.initProvider.address))",message="spec.forProvider.address is a required parameter" Spec SecretBackendSpec `json:"spec"` Status SecretBackendStatus `json:"status,omitempty"` } diff --git a/apis/consul/v1alpha1/zz_generated_terraformed.go b/apis/consul/v1alpha1/zz_secretbackendrole_terraformed.go similarity index 50% rename from apis/consul/v1alpha1/zz_generated_terraformed.go rename to apis/consul/v1alpha1/zz_secretbackendrole_terraformed.go index 7fedc89c..369b4825 100755 --- a/apis/consul/v1alpha1/zz_generated_terraformed.go +++ b/apis/consul/v1alpha1/zz_secretbackendrole_terraformed.go @@ -7,96 +7,13 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) -// GetTerraformResourceType returns Terraform resource type for this SecretBackend -func (mg *SecretBackend) GetTerraformResourceType() string { - return "vault_consul_secret_backend" -} - -// GetConnectionDetailsMapping for this SecretBackend -func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"client_cert": "spec.forProvider.clientCertSecretRef", "client_key": "spec.forProvider.clientKeySecretRef", "token": "spec.forProvider.tokenSecretRef"} -} - -// GetObservation of this SecretBackend -func (tr *SecretBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackend -func (tr *SecretBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackend -func (tr *SecretBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackend -func (tr *SecretBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackend -func (tr *SecretBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackend -func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 1 -} - // GetTerraformResourceType returns Terraform resource type for this SecretBackendRole func (mg *SecretBackendRole) GetTerraformResourceType() string { return "vault_consul_secret_backend_role" @@ -163,6 +80,36 @@ func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this SecretBackendRole using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/consul/v1alpha1/zz_secretbackendrole_types.go b/apis/consul/v1alpha1/zz_secretbackendrole_types.go index 13791ebe..de75e954 100755 --- a/apis/consul/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/consul/v1alpha1/zz_secretbackendrole_types.go @@ -17,8 +17,18 @@ type SecretBackendRoleInitParameters struct { // The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required. // The path of the Consul Secret Backend the role belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/consul/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in consul to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in consul to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The Consul namespace that the token will be created in. // Applicable for Vault 1.10+ and Consul 1.7+". // The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+ @@ -26,11 +36,13 @@ type SecretBackendRoleInitParameters struct { // SEE NOTE The list of Consul ACL policies to associate with these roles. // List of Consul policies to associate with this role + // +listType=set ConsulPolicies []*string `json:"consulPolicies,omitempty" tf:"consul_policies,omitempty"` // SEE NOTE Set of Consul roles to attach to the token. // Applicable for Vault 1.10+ with Consul 1.5+. // Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+ + // +listType=set ConsulRoles []*string `json:"consulRoles,omitempty" tf:"consul_roles,omitempty"` // Indicates that the token should not be replicated globally and instead be local to the current datacenter. @@ -56,6 +68,7 @@ type SecretBackendRoleInitParameters struct { // identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+. // Set of Consul node identities to attach to // the token. Applicable for Vault 1.11+ with Consul 1.8+ + // +listType=set NodeIdentities []*string `json:"nodeIdentities,omitempty" tf:"node_identities,omitempty"` // The admin partition that the token will be created in. @@ -73,16 +86,12 @@ type SecretBackendRoleInitParameters struct { // service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+. // Set of Consul service identities to attach to // the token. Applicable for Vault 1.11+ with Consul 1.5+ + // +listType=set ServiceIdentities []*string `json:"serviceIdentities,omitempty" tf:"service_identities,omitempty"` // Specifies the TTL for this role. // Specifies the TTL for this role. TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"` - - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - // Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` } type SecretBackendRoleObservation struct { @@ -98,11 +107,13 @@ type SecretBackendRoleObservation struct { // SEE NOTE The list of Consul ACL policies to associate with these roles. // List of Consul policies to associate with this role + // +listType=set ConsulPolicies []*string `json:"consulPolicies,omitempty" tf:"consul_policies,omitempty"` // SEE NOTE Set of Consul roles to attach to the token. // Applicable for Vault 1.10+ with Consul 1.5+. // Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+ + // +listType=set ConsulRoles []*string `json:"consulRoles,omitempty" tf:"consul_roles,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -130,6 +141,7 @@ type SecretBackendRoleObservation struct { // identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+. // Set of Consul node identities to attach to // the token. Applicable for Vault 1.11+ with Consul 1.8+ + // +listType=set NodeIdentities []*string `json:"nodeIdentities,omitempty" tf:"node_identities,omitempty"` // The admin partition that the token will be created in. @@ -147,25 +159,31 @@ type SecretBackendRoleObservation struct { // service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+. // Set of Consul service identities to attach to // the token. Applicable for Vault 1.11+ with Consul 1.5+ + // +listType=set ServiceIdentities []*string `json:"serviceIdentities,omitempty" tf:"service_identities,omitempty"` // Specifies the TTL for this role. // Specifies the TTL for this role. TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"` - - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - // Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` } type SecretBackendRoleParameters struct { // The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required. // The path of the Consul Secret Backend the role belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/consul/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in consul to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in consul to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The Consul namespace that the token will be created in. // Applicable for Vault 1.10+ and Consul 1.7+". // The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+ @@ -175,12 +193,14 @@ type SecretBackendRoleParameters struct { // SEE NOTE The list of Consul ACL policies to associate with these roles. // List of Consul policies to associate with this role // +kubebuilder:validation:Optional + // +listType=set ConsulPolicies []*string `json:"consulPolicies,omitempty" tf:"consul_policies,omitempty"` // SEE NOTE Set of Consul roles to attach to the token. // Applicable for Vault 1.10+ with Consul 1.5+. // Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+ // +kubebuilder:validation:Optional + // +listType=set ConsulRoles []*string `json:"consulRoles,omitempty" tf:"consul_roles,omitempty"` // Indicates that the token should not be replicated globally and instead be local to the current datacenter. @@ -211,6 +231,7 @@ type SecretBackendRoleParameters struct { // Set of Consul node identities to attach to // the token. Applicable for Vault 1.11+ with Consul 1.8+ // +kubebuilder:validation:Optional + // +listType=set NodeIdentities []*string `json:"nodeIdentities,omitempty" tf:"node_identities,omitempty"` // The admin partition that the token will be created in. @@ -231,27 +252,21 @@ type SecretBackendRoleParameters struct { // Set of Consul service identities to attach to // the token. Applicable for Vault 1.11+ with Consul 1.5+ // +kubebuilder:validation:Optional + // +listType=set ServiceIdentities []*string `json:"serviceIdentities,omitempty" tf:"service_identities,omitempty"` // Specifies the TTL for this role. // Specifies the TTL for this role. // +kubebuilder:validation:Optional TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"` - - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - // Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - // +kubebuilder:validation:Optional - TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` } // SecretBackendRoleSpec defines the desired state of SecretBackendRole type SecretBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -270,18 +285,19 @@ type SecretBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendRole is the Schema for the SecretBackendRoles API. Manages a Consul secrets role for a Consul secrets engine in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec SecretBackendRoleSpec `json:"spec"` Status SecretBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/database/v1alpha1/zz_generated.conversion_hubs.go b/apis/database/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..e96c247a --- /dev/null +++ b/apis/database/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,19 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendConnection) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendStaticRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretsMount) Hub() {} diff --git a/apis/database/v1alpha1/zz_generated.deepcopy.go b/apis/database/v1alpha1/zz_generated.deepcopy.go index fdf9c0f4..97e554a0 100644 --- a/apis/database/v1alpha1/zz_generated.deepcopy.go +++ b/apis/database/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -38,6 +37,21 @@ func (in *CassandraInitParameters) DeepCopyInto(out *CassandraInitParameters) { *out = new(bool) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.PemBundleSecretRef != nil { + in, out := &in.PemBundleSecretRef, &out.PemBundleSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.PemJSONSecretRef != nil { + in, out := &in.PemJSONSecretRef, &out.PemJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Port != nil { in, out := &in.Port, &out.Port *out = new(float64) @@ -200,6 +214,11 @@ func (in *CassandraParameters) DeepCopy() *CassandraParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CouchbaseInitParameters) DeepCopyInto(out *CouchbaseInitParameters) { *out = *in + if in.Base64PemSecretRef != nil { + in, out := &in.Base64PemSecretRef, &out.Base64PemSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.BucketName != nil { in, out := &in.BucketName, &out.BucketName *out = new(string) @@ -221,6 +240,7 @@ func (in *CouchbaseInitParameters) DeepCopyInto(out *CouchbaseInitParameters) { *out = new(bool) **out = **in } + out.PasswordSecretRef = in.PasswordSecretRef if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(bool) @@ -384,6 +404,7 @@ func (in *ElasticsearchInitParameters) DeepCopyInto(out *ElasticsearchInitParame *out = new(bool) **out = **in } + out.PasswordSecretRef = in.PasswordSecretRef if in.TLSServerName != nil { in, out := &in.TLSServerName, &out.TLSServerName *out = new(string) @@ -565,6 +586,11 @@ func (in *HanaInitParameters) DeepCopyInto(out *HanaInitParameters) { *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -695,6 +721,17 @@ func (in *InfluxdbInitParameters) DeepCopyInto(out *InfluxdbInitParameters) { *out = new(bool) **out = **in } + out.PasswordSecretRef = in.PasswordSecretRef + if in.PemBundleSecretRef != nil { + in, out := &in.PemBundleSecretRef, &out.PemBundleSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.PemJSONSecretRef != nil { + in, out := &in.PemJSONSecretRef, &out.PemJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Port != nil { in, out := &in.Port, &out.Port *out = new(float64) @@ -861,6 +898,11 @@ func (in *MongodbInitParameters) DeepCopyInto(out *MongodbInitParameters) { *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -981,6 +1023,7 @@ func (in *MongodbParameters) DeepCopy() *MongodbParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MongodbatlasInitParameters) DeepCopyInto(out *MongodbatlasInitParameters) { *out = *in + out.PrivateKeySecretRef = in.PrivateKeySecretRef if in.ProjectID != nil { in, out := &in.ProjectID, &out.ProjectID *out = new(string) @@ -1087,6 +1130,11 @@ func (in *MssqlInitParameters) DeepCopyInto(out *MssqlInitParameters) { *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1252,11 +1300,26 @@ func (in *MySQLAuroraInitParameters) DeepCopyInto(out *MySQLAuroraInitParameters *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.TLSCA != nil { in, out := &in.TLSCA, &out.TLSCA *out = new(string) **out = **in } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1432,11 +1495,26 @@ func (in *MySQLInitParameters) DeepCopyInto(out *MySQLInitParameters) { *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.TLSCA != nil { in, out := &in.TLSCA, &out.TLSCA *out = new(string) **out = **in } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1487,11 +1565,26 @@ func (in *MySQLLegacyInitParameters) DeepCopyInto(out *MySQLLegacyInitParameters *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.TLSCA != nil { in, out := &in.TLSCA, &out.TLSCA *out = new(string) **out = **in } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1792,11 +1885,26 @@ func (in *MySQLRDSInitParameters) DeepCopyInto(out *MySQLRDSInitParameters) { *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.TLSCA != nil { in, out := &in.TLSCA, &out.TLSCA *out = new(string) **out = **in } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1972,6 +2080,11 @@ func (in *OracleInitParameters) DeepCopyInto(out *OracleInitParameters) { *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.SplitStatements != nil { in, out := &in.SplitStatements, &out.SplitStatements *out = new(bool) @@ -2147,6 +2260,16 @@ func (in *PostgresqlInitParameters) DeepCopyInto(out *PostgresqlInitParameters) *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -2292,6 +2415,11 @@ func (in *PostgresqlParameters) DeepCopy() *PostgresqlParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RedisElasticacheInitParameters) DeepCopyInto(out *RedisElasticacheInitParameters) { *out = *in + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Region != nil { in, out := &in.Region, &out.Region *out = new(string) @@ -2302,6 +2430,11 @@ func (in *RedisElasticacheInitParameters) DeepCopyInto(out *RedisElasticacheInit *out = new(string) **out = **in } + if in.UsernameSecretRef != nil { + in, out := &in.UsernameSecretRef, &out.UsernameSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisElasticacheInitParameters. @@ -2392,6 +2525,7 @@ func (in *RedisInitParameters) DeepCopyInto(out *RedisInitParameters) { *out = new(bool) **out = **in } + out.PasswordSecretRef = in.PasswordSecretRef if in.Port != nil { in, out := &in.Port, &out.Port *out = new(float64) @@ -2538,6 +2672,11 @@ func (in *RedshiftInitParameters) DeepCopyInto(out *RedshiftInitParameters) { *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -2711,6 +2850,16 @@ func (in *SecretBackendConnectionInitParameters) DeepCopyInto(out *SecretBackend *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Cassandra != nil { in, out := &in.Cassandra, &out.Cassandra *out = make([]CassandraInitParameters, len(*in)) @@ -2733,7 +2882,8 @@ func (in *SecretBackendConnectionInitParameters) DeepCopyInto(out *SecretBackend if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -2968,7 +3118,8 @@ func (in *SecretBackendConnectionObservation) DeepCopyInto(out *SecretBackendCon if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -3154,6 +3305,16 @@ func (in *SecretBackendConnectionParameters) DeepCopyInto(out *SecretBackendConn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Cassandra != nil { in, out := &in.Cassandra, &out.Cassandra *out = make([]CassandraParameters, len(*in)) @@ -3176,7 +3337,8 @@ func (in *SecretBackendConnectionParameters) DeepCopyInto(out *SecretBackendConn if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -3408,6 +3570,16 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CreationStatements != nil { in, out := &in.CreationStatements, &out.CreationStatements *out = make([]*string, len(*in)) @@ -3427,7 +3599,8 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -3444,6 +3617,16 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.DBNameRef != nil { + in, out := &in.DBNameRef, &out.DBNameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.DBNameSelector != nil { + in, out := &in.DBNameSelector, &out.DBNameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DefaultTTL != nil { in, out := &in.DefaultTTL, &out.DefaultTTL *out = new(float64) @@ -3568,7 +3751,8 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -3663,6 +3847,16 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CreationStatements != nil { in, out := &in.CreationStatements, &out.CreationStatements *out = make([]*string, len(*in)) @@ -3682,7 +3876,8 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -3699,6 +3894,16 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.DBNameRef != nil { + in, out := &in.DBNameRef, &out.DBNameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.DBNameSelector != nil { + in, out := &in.DBNameSelector, &out.DBNameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DefaultTTL != nil { in, out := &in.DefaultTTL, &out.DefaultTTL *out = new(float64) @@ -3834,11 +4039,31 @@ func (in *SecretBackendStaticRoleInitParameters) DeepCopyInto(out *SecretBackend *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DBName != nil { in, out := &in.DBName, &out.DBName *out = new(string) **out = **in } + if in.DBNameRef != nil { + in, out := &in.DBNameRef, &out.DBNameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.DBNameSelector != nil { + in, out := &in.DBNameSelector, &out.DBNameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -4003,11 +4228,31 @@ func (in *SecretBackendStaticRoleParameters) DeepCopyInto(out *SecretBackendStat *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DBName != nil { in, out := &in.DBName, &out.DBName *out = new(string) **out = **in } + if in.DBNameRef != nil { + in, out := &in.DBNameRef, &out.DBNameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.DBNameSelector != nil { + in, out := &in.DBNameSelector, &out.DBNameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -4150,7 +4395,8 @@ func (in *SecretsMountCassandraInitParameters) DeepCopyInto(out *SecretsMountCas if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -4178,6 +4424,21 @@ func (in *SecretsMountCassandraInitParameters) DeepCopyInto(out *SecretsMountCas *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.PemBundleSecretRef != nil { + in, out := &in.PemBundleSecretRef, &out.PemBundleSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.PemJSONSecretRef != nil { + in, out := &in.PemJSONSecretRef, &out.PemJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -4258,7 +4519,8 @@ func (in *SecretsMountCassandraObservation) DeepCopyInto(out *SecretsMountCassan if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -4366,7 +4628,8 @@ func (in *SecretsMountCassandraParameters) DeepCopyInto(out *SecretsMountCassand if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -4476,6 +4739,11 @@ func (in *SecretsMountCouchbaseInitParameters) DeepCopyInto(out *SecretsMountCou } } } + if in.Base64PemSecretRef != nil { + in, out := &in.Base64PemSecretRef, &out.Base64PemSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.BucketName != nil { in, out := &in.BucketName, &out.BucketName *out = new(string) @@ -4489,7 +4757,8 @@ func (in *SecretsMountCouchbaseInitParameters) DeepCopyInto(out *SecretsMountCou if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -4517,6 +4786,7 @@ func (in *SecretsMountCouchbaseInitParameters) DeepCopyInto(out *SecretsMountCou *out = new(string) **out = **in } + out.PasswordSecretRef = in.PasswordSecretRef if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -4592,7 +4862,8 @@ func (in *SecretsMountCouchbaseObservation) DeepCopyInto(out *SecretsMountCouchb if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -4700,7 +4971,8 @@ func (in *SecretsMountCouchbaseParameters) DeepCopyInto(out *SecretsMountCouchba if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -4819,7 +5091,8 @@ func (in *SecretsMountElasticsearchInitParameters) DeepCopyInto(out *SecretsMoun if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -4836,6 +5109,7 @@ func (in *SecretsMountElasticsearchInitParameters) DeepCopyInto(out *SecretsMoun *out = new(string) **out = **in } + out.PasswordSecretRef = in.PasswordSecretRef if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -4931,7 +5205,8 @@ func (in *SecretsMountElasticsearchObservation) DeepCopyInto(out *SecretsMountEl if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -5043,7 +5318,8 @@ func (in *SecretsMountElasticsearchParameters) DeepCopyInto(out *SecretsMountEla if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -5141,7 +5417,8 @@ func (in *SecretsMountHanaInitParameters) DeepCopyInto(out *SecretsMountHanaInit if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -5173,6 +5450,11 @@ func (in *SecretsMountHanaInitParameters) DeepCopyInto(out *SecretsMountHanaInit *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -5238,7 +5520,8 @@ func (in *SecretsMountHanaObservation) DeepCopyInto(out *SecretsMountHanaObserva if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -5335,7 +5618,8 @@ func (in *SecretsMountHanaParameters) DeepCopyInto(out *SecretsMountHanaParamete if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -5437,7 +5721,8 @@ func (in *SecretsMountInfluxdbInitParameters) DeepCopyInto(out *SecretsMountInfl if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -5459,6 +5744,17 @@ func (in *SecretsMountInfluxdbInitParameters) DeepCopyInto(out *SecretsMountInfl *out = new(string) **out = **in } + out.PasswordSecretRef = in.PasswordSecretRef + if in.PemBundleSecretRef != nil { + in, out := &in.PemBundleSecretRef, &out.PemBundleSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.PemJSONSecretRef != nil { + in, out := &in.PemJSONSecretRef, &out.PemJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -5539,7 +5835,8 @@ func (in *SecretsMountInfluxdbObservation) DeepCopyInto(out *SecretsMountInfluxd if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -5641,7 +5938,8 @@ func (in *SecretsMountInfluxdbParameters) DeepCopyInto(out *SecretsMountInfluxdb if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -5741,6 +6039,17 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -5782,6 +6091,17 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -5806,6 +6126,11 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Influxdb != nil { in, out := &in.Influxdb, &out.Influxdb *out = make([]SecretsMountInfluxdbInitParameters, len(*in)) @@ -5813,6 +6138,11 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -5885,7 +6215,8 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -5899,11 +6230,27 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.Postgresql != nil { in, out := &in.Postgresql, &out.Postgresql *out = make([]SecretsMountPostgresqlInitParameters, len(*in)) @@ -6015,7 +6362,8 @@ func (in *SecretsMountMongodbInitParameters) DeepCopyInto(out *SecretsMountMongo if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -6042,6 +6390,11 @@ func (in *SecretsMountMongodbInitParameters) DeepCopyInto(out *SecretsMountMongo *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -6112,7 +6465,8 @@ func (in *SecretsMountMongodbObservation) DeepCopyInto(out *SecretsMountMongodbO if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -6209,7 +6563,8 @@ func (in *SecretsMountMongodbParameters) DeepCopyInto(out *SecretsMountMongodbPa if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -6306,7 +6661,8 @@ func (in *SecretsMountMongodbatlasInitParameters) DeepCopyInto(out *SecretsMount if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -6323,6 +6679,7 @@ func (in *SecretsMountMongodbatlasInitParameters) DeepCopyInto(out *SecretsMount *out = new(string) **out = **in } + out.PrivateKeySecretRef = in.PrivateKeySecretRef if in.ProjectID != nil { in, out := &in.ProjectID, &out.ProjectID *out = new(string) @@ -6383,7 +6740,8 @@ func (in *SecretsMountMongodbatlasObservation) DeepCopyInto(out *SecretsMountMon if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -6460,7 +6818,8 @@ func (in *SecretsMountMongodbatlasParameters) DeepCopyInto(out *SecretsMountMong if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -6548,7 +6907,8 @@ func (in *SecretsMountMssqlInitParameters) DeepCopyInto(out *SecretsMountMssqlIn if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -6580,6 +6940,11 @@ func (in *SecretsMountMssqlInitParameters) DeepCopyInto(out *SecretsMountMssqlIn *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -6655,7 +7020,8 @@ func (in *SecretsMountMssqlObservation) DeepCopyInto(out *SecretsMountMssqlObser if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -6762,7 +7128,8 @@ func (in *SecretsMountMssqlParameters) DeepCopyInto(out *SecretsMountMssqlParame if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -6874,7 +7241,8 @@ func (in *SecretsMountMySQLAuroraInitParameters) DeepCopyInto(out *SecretsMountM if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -6901,6 +7269,11 @@ func (in *SecretsMountMySQLAuroraInitParameters) DeepCopyInto(out *SecretsMountM *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -6917,11 +7290,21 @@ func (in *SecretsMountMySQLAuroraInitParameters) DeepCopyInto(out *SecretsMountM } } } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.TLSCA != nil { in, out := &in.TLSCA, &out.TLSCA *out = new(string) **out = **in } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -6981,7 +7364,8 @@ func (in *SecretsMountMySQLAuroraObservation) DeepCopyInto(out *SecretsMountMySQ if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -7088,7 +7472,8 @@ func (in *SecretsMountMySQLAuroraParameters) DeepCopyInto(out *SecretsMountMySQL if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -7210,7 +7595,8 @@ func (in *SecretsMountMySQLInitParameters) DeepCopyInto(out *SecretsMountMySQLIn if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -7237,6 +7623,11 @@ func (in *SecretsMountMySQLInitParameters) DeepCopyInto(out *SecretsMountMySQLIn *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -7253,11 +7644,21 @@ func (in *SecretsMountMySQLInitParameters) DeepCopyInto(out *SecretsMountMySQLIn } } } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.TLSCA != nil { in, out := &in.TLSCA, &out.TLSCA *out = new(string) **out = **in } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -7317,7 +7718,8 @@ func (in *SecretsMountMySQLLegacyInitParameters) DeepCopyInto(out *SecretsMountM if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -7344,6 +7746,11 @@ func (in *SecretsMountMySQLLegacyInitParameters) DeepCopyInto(out *SecretsMountM *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -7360,11 +7767,21 @@ func (in *SecretsMountMySQLLegacyInitParameters) DeepCopyInto(out *SecretsMountM } } } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.TLSCA != nil { in, out := &in.TLSCA, &out.TLSCA *out = new(string) **out = **in } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -7424,7 +7841,8 @@ func (in *SecretsMountMySQLLegacyObservation) DeepCopyInto(out *SecretsMountMySQ if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -7531,7 +7949,8 @@ func (in *SecretsMountMySQLLegacyParameters) DeepCopyInto(out *SecretsMountMySQL if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -7653,7 +8072,8 @@ func (in *SecretsMountMySQLObservation) DeepCopyInto(out *SecretsMountMySQLObser if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -7760,7 +8180,8 @@ func (in *SecretsMountMySQLParameters) DeepCopyInto(out *SecretsMountMySQLParame if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -7882,7 +8303,8 @@ func (in *SecretsMountMySQLRDSInitParameters) DeepCopyInto(out *SecretsMountMySQ if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -7909,6 +8331,11 @@ func (in *SecretsMountMySQLRDSInitParameters) DeepCopyInto(out *SecretsMountMySQ *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -7925,11 +8352,21 @@ func (in *SecretsMountMySQLRDSInitParameters) DeepCopyInto(out *SecretsMountMySQ } } } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.TLSCA != nil { in, out := &in.TLSCA, &out.TLSCA *out = new(string) **out = **in } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -7989,7 +8426,8 @@ func (in *SecretsMountMySQLRDSObservation) DeepCopyInto(out *SecretsMountMySQLRD if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -8096,7 +8534,8 @@ func (in *SecretsMountMySQLRDSParameters) DeepCopyInto(out *SecretsMountMySQLRDS if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -8205,6 +8644,17 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -8246,6 +8696,17 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -8280,6 +8741,11 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { *out = new(string) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Influxdb != nil { in, out := &in.Influxdb, &out.Influxdb *out = make([]SecretsMountInfluxdbObservation, len(*in)) @@ -8287,6 +8753,11 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -8359,7 +8830,8 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -8373,11 +8845,27 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.Postgresql != nil { in, out := &in.Postgresql, &out.Postgresql *out = make([]SecretsMountPostgresqlObservation, len(*in)) @@ -8457,7 +8945,8 @@ func (in *SecretsMountOracleInitParameters) DeepCopyInto(out *SecretsMountOracle if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -8489,6 +8978,11 @@ func (in *SecretsMountOracleInitParameters) DeepCopyInto(out *SecretsMountOracle *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -8564,7 +9058,8 @@ func (in *SecretsMountOracleObservation) DeepCopyInto(out *SecretsMountOracleObs if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -8671,7 +9166,8 @@ func (in *SecretsMountOracleParameters) DeepCopyInto(out *SecretsMountOraclePara if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -8770,6 +9266,17 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -8811,6 +9318,17 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -8835,6 +9353,11 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Influxdb != nil { in, out := &in.Influxdb, &out.Influxdb *out = make([]SecretsMountInfluxdbParameters, len(*in)) @@ -8842,6 +9365,11 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -8914,7 +9442,8 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -8928,11 +9457,27 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.Postgresql != nil { in, out := &in.Postgresql, &out.Postgresql *out = make([]SecretsMountPostgresqlParameters, len(*in)) @@ -9017,7 +9562,8 @@ func (in *SecretsMountPostgresqlInitParameters) DeepCopyInto(out *SecretsMountPo if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -9049,6 +9595,11 @@ func (in *SecretsMountPostgresqlInitParameters) DeepCopyInto(out *SecretsMountPo *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -9065,6 +9616,11 @@ func (in *SecretsMountPostgresqlInitParameters) DeepCopyInto(out *SecretsMountPo } } } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -9124,7 +9680,8 @@ func (in *SecretsMountPostgresqlObservation) DeepCopyInto(out *SecretsMountPostg if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -9231,7 +9788,8 @@ func (in *SecretsMountPostgresqlParameters) DeepCopyInto(out *SecretsMountPostgr if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -9338,7 +9896,8 @@ func (in *SecretsMountRedisElasticacheInitParameters) DeepCopyInto(out *SecretsM if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -9350,6 +9909,11 @@ func (in *SecretsMountRedisElasticacheInitParameters) DeepCopyInto(out *SecretsM *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -9376,6 +9940,11 @@ func (in *SecretsMountRedisElasticacheInitParameters) DeepCopyInto(out *SecretsM *out = new(string) **out = **in } + if in.UsernameSecretRef != nil { + in, out := &in.UsernameSecretRef, &out.UsernameSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.VerifyConnection != nil { in, out := &in.VerifyConnection, &out.VerifyConnection *out = new(bool) @@ -9415,7 +9984,8 @@ func (in *SecretsMountRedisElasticacheObservation) DeepCopyInto(out *SecretsMoun if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -9492,7 +10062,8 @@ func (in *SecretsMountRedisElasticacheParameters) DeepCopyInto(out *SecretsMount if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -9584,7 +10155,8 @@ func (in *SecretsMountRedisInitParameters) DeepCopyInto(out *SecretsMountRedisIn if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -9606,6 +10178,7 @@ func (in *SecretsMountRedisInitParameters) DeepCopyInto(out *SecretsMountRedisIn *out = new(string) **out = **in } + out.PasswordSecretRef = in.PasswordSecretRef if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -9681,7 +10254,8 @@ func (in *SecretsMountRedisObservation) DeepCopyInto(out *SecretsMountRedisObser if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -9778,7 +10352,8 @@ func (in *SecretsMountRedisParameters) DeepCopyInto(out *SecretsMountRedisParame if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -9876,7 +10451,8 @@ func (in *SecretsMountRedshiftInitParameters) DeepCopyInto(out *SecretsMountReds if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -9908,6 +10484,11 @@ func (in *SecretsMountRedshiftInitParameters) DeepCopyInto(out *SecretsMountReds *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -9978,7 +10559,8 @@ func (in *SecretsMountRedshiftObservation) DeepCopyInto(out *SecretsMountRedshif if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -10080,7 +10662,8 @@ func (in *SecretsMountRedshiftParameters) DeepCopyInto(out *SecretsMountRedshift if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -10187,7 +10770,8 @@ func (in *SecretsMountSnowflakeInitParameters) DeepCopyInto(out *SecretsMountSno if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -10214,6 +10798,11 @@ func (in *SecretsMountSnowflakeInitParameters) DeepCopyInto(out *SecretsMountSno *out = new(string) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PluginName != nil { in, out := &in.PluginName, &out.PluginName *out = new(string) @@ -10284,7 +10873,8 @@ func (in *SecretsMountSnowflakeObservation) DeepCopyInto(out *SecretsMountSnowfl if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -10381,7 +10971,8 @@ func (in *SecretsMountSnowflakeParameters) DeepCopyInto(out *SecretsMountSnowfla if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -10514,6 +11105,11 @@ func (in *SnowflakeInitParameters) DeepCopyInto(out *SnowflakeInitParameters) { *out = new(float64) **out = **in } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) diff --git a/apis/database/v1alpha1/zz_generated.managed.go b/apis/database/v1alpha1/zz_generated.managed.go index cc4d23c1..c3e417c0 100644 --- a/apis/database/v1alpha1/zz_generated.managed.go +++ b/apis/database/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *SecretBackendConnection) GetProviderConfigReference() *xpv1.Reference return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendConnection. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendConnection) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendConnection. func (mg *SecretBackendConnection) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *SecretBackendConnection) SetProviderConfigReference(r *xpv1.Reference) mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendConnection. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendConnection) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendConnection. func (mg *SecretBackendConnection) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SecretBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SecretBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *SecretBackendStaticRole) GetProviderConfigReference() *xpv1.Reference return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendStaticRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendStaticRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendStaticRole. func (mg *SecretBackendStaticRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *SecretBackendStaticRole) SetProviderConfigReference(r *xpv1.Reference) mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendStaticRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendStaticRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendStaticRole. func (mg *SecretBackendStaticRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -255,14 +207,6 @@ func (mg *SecretsMount) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretsMount. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretsMount) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretsMount. func (mg *SecretsMount) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -293,14 +237,6 @@ func (mg *SecretsMount) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretsMount. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretsMount) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretsMount. func (mg *SecretsMount) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/database/v1alpha1/zz_generated.resolvers.go b/apis/database/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..15d141c0 --- /dev/null +++ b/apis/database/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,205 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretBackendConnection. +func (mg *SecretBackendConnection) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendRole. +func (mg *SecretBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.DBName), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.ForProvider.DBNameRef, + Selector: mg.Spec.ForProvider.DBNameSelector, + To: reference.To{ + List: &SecretBackendConnectionList{}, + Managed: &SecretBackendConnection{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.DBName") + } + mg.Spec.ForProvider.DBName = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.DBNameRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.DBName), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.InitProvider.DBNameRef, + Selector: mg.Spec.InitProvider.DBNameSelector, + To: reference.To{ + List: &SecretBackendConnectionList{}, + Managed: &SecretBackendConnection{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.DBName") + } + mg.Spec.InitProvider.DBName = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.DBNameRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendStaticRole. +func (mg *SecretBackendStaticRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.DBName), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.ForProvider.DBNameRef, + Selector: mg.Spec.ForProvider.DBNameSelector, + To: reference.To{ + List: &SecretBackendConnectionList{}, + Managed: &SecretBackendConnection{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.DBName") + } + mg.Spec.ForProvider.DBName = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.DBNameRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.DBName), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.InitProvider.DBNameRef, + Selector: mg.Spec.InitProvider.DBNameSelector, + To: reference.To{ + List: &SecretBackendConnectionList{}, + Managed: &SecretBackendConnection{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.DBName") + } + mg.Spec.InitProvider.DBName = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.DBNameRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/database/v1alpha1/zz_generated_terraformed.go b/apis/database/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index 187d5338..00000000 --- a/apis/database/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,350 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendConnection -func (mg *SecretBackendConnection) GetTerraformResourceType() string { - return "vault_database_secret_backend_connection" -} - -// GetConnectionDetailsMapping for this SecretBackendConnection -func (tr *SecretBackendConnection) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"cassandra[*].password": "spec.forProvider.cassandra[*].passwordSecretRef", "cassandra[*].pem_bundle": "spec.forProvider.cassandra[*].pemBundleSecretRef", "cassandra[*].pem_json": "spec.forProvider.cassandra[*].pemJsonSecretRef", "couchbase[*].base64_pem": "spec.forProvider.couchbase[*].base64PemSecretRef", "couchbase[*].password": "spec.forProvider.couchbase[*].passwordSecretRef", "elasticsearch[*].password": "spec.forProvider.elasticsearch[*].passwordSecretRef", "hana[*].password": "spec.forProvider.hana[*].passwordSecretRef", "influxdb[*].password": "spec.forProvider.influxdb[*].passwordSecretRef", "influxdb[*].pem_bundle": "spec.forProvider.influxdb[*].pemBundleSecretRef", "influxdb[*].pem_json": "spec.forProvider.influxdb[*].pemJsonSecretRef", "mongodb[*].password": "spec.forProvider.mongodb[*].passwordSecretRef", "mongodbatlas[*].private_key": "spec.forProvider.mongodbatlas[*].privateKeySecretRef", "mssql[*].password": "spec.forProvider.mssql[*].passwordSecretRef", "mysql[*].password": "spec.forProvider.mysql[*].passwordSecretRef", "mysql[*].service_account_json": "spec.forProvider.mysql[*].serviceAccountJsonSecretRef", "mysql[*].tls_certificate_key": "spec.forProvider.mysql[*].tlsCertificateKeySecretRef", "mysql_aurora[*].password": "spec.forProvider.mysqlAurora[*].passwordSecretRef", "mysql_aurora[*].service_account_json": "spec.forProvider.mysqlAurora[*].serviceAccountJsonSecretRef", "mysql_aurora[*].tls_certificate_key": "spec.forProvider.mysqlAurora[*].tlsCertificateKeySecretRef", "mysql_legacy[*].password": "spec.forProvider.mysqlLegacy[*].passwordSecretRef", "mysql_legacy[*].service_account_json": "spec.forProvider.mysqlLegacy[*].serviceAccountJsonSecretRef", "mysql_legacy[*].tls_certificate_key": "spec.forProvider.mysqlLegacy[*].tlsCertificateKeySecretRef", "mysql_rds[*].password": "spec.forProvider.mysqlRds[*].passwordSecretRef", "mysql_rds[*].service_account_json": "spec.forProvider.mysqlRds[*].serviceAccountJsonSecretRef", "mysql_rds[*].tls_certificate_key": "spec.forProvider.mysqlRds[*].tlsCertificateKeySecretRef", "oracle[*].password": "spec.forProvider.oracle[*].passwordSecretRef", "postgresql[*].password": "spec.forProvider.postgresql[*].passwordSecretRef", "postgresql[*].service_account_json": "spec.forProvider.postgresql[*].serviceAccountJsonSecretRef", "redis[*].password": "spec.forProvider.redis[*].passwordSecretRef", "redis_elasticache[*].password": "spec.forProvider.redisElasticache[*].passwordSecretRef", "redis_elasticache[*].username": "spec.forProvider.redisElasticache[*].usernameSecretRef", "redshift[*].password": "spec.forProvider.redshift[*].passwordSecretRef", "snowflake[*].password": "spec.forProvider.snowflake[*].passwordSecretRef"} -} - -// GetObservation of this SecretBackendConnection -func (tr *SecretBackendConnection) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendConnection -func (tr *SecretBackendConnection) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendConnection -func (tr *SecretBackendConnection) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendConnection -func (tr *SecretBackendConnection) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendConnection -func (tr *SecretBackendConnection) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendConnection -func (tr *SecretBackendConnection) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendConnection using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendConnection) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendConnectionParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendConnection) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendRole -func (mg *SecretBackendRole) GetTerraformResourceType() string { - return "vault_database_secret_backend_role" -} - -// GetConnectionDetailsMapping for this SecretBackendRole -func (tr *SecretBackendRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendRole -func (tr *SecretBackendRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendRole -func (tr *SecretBackendRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendRole -func (tr *SecretBackendRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendRole -func (tr *SecretBackendRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendRole -func (tr *SecretBackendRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendRole -func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendRole) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendStaticRole -func (mg *SecretBackendStaticRole) GetTerraformResourceType() string { - return "vault_database_secret_backend_static_role" -} - -// GetConnectionDetailsMapping for this SecretBackendStaticRole -func (tr *SecretBackendStaticRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendStaticRole -func (tr *SecretBackendStaticRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendStaticRole -func (tr *SecretBackendStaticRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendStaticRole -func (tr *SecretBackendStaticRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendStaticRole -func (tr *SecretBackendStaticRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendStaticRole -func (tr *SecretBackendStaticRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendStaticRole -func (tr *SecretBackendStaticRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendStaticRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendStaticRole) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendStaticRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendStaticRole) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretsMount -func (mg *SecretsMount) GetTerraformResourceType() string { - return "vault_database_secrets_mount" -} - -// GetConnectionDetailsMapping for this SecretsMount -func (tr *SecretsMount) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"cassandra[*].password": "spec.forProvider.cassandra[*].passwordSecretRef", "cassandra[*].pem_bundle": "spec.forProvider.cassandra[*].pemBundleSecretRef", "cassandra[*].pem_json": "spec.forProvider.cassandra[*].pemJsonSecretRef", "couchbase[*].base64_pem": "spec.forProvider.couchbase[*].base64PemSecretRef", "couchbase[*].password": "spec.forProvider.couchbase[*].passwordSecretRef", "elasticsearch[*].password": "spec.forProvider.elasticsearch[*].passwordSecretRef", "hana[*].password": "spec.forProvider.hana[*].passwordSecretRef", "influxdb[*].password": "spec.forProvider.influxdb[*].passwordSecretRef", "influxdb[*].pem_bundle": "spec.forProvider.influxdb[*].pemBundleSecretRef", "influxdb[*].pem_json": "spec.forProvider.influxdb[*].pemJsonSecretRef", "mongodb[*].password": "spec.forProvider.mongodb[*].passwordSecretRef", "mongodbatlas[*].private_key": "spec.forProvider.mongodbatlas[*].privateKeySecretRef", "mssql[*].password": "spec.forProvider.mssql[*].passwordSecretRef", "mysql[*].password": "spec.forProvider.mysql[*].passwordSecretRef", "mysql[*].service_account_json": "spec.forProvider.mysql[*].serviceAccountJsonSecretRef", "mysql[*].tls_certificate_key": "spec.forProvider.mysql[*].tlsCertificateKeySecretRef", "mysql_aurora[*].password": "spec.forProvider.mysqlAurora[*].passwordSecretRef", "mysql_aurora[*].service_account_json": "spec.forProvider.mysqlAurora[*].serviceAccountJsonSecretRef", "mysql_aurora[*].tls_certificate_key": "spec.forProvider.mysqlAurora[*].tlsCertificateKeySecretRef", "mysql_legacy[*].password": "spec.forProvider.mysqlLegacy[*].passwordSecretRef", "mysql_legacy[*].service_account_json": "spec.forProvider.mysqlLegacy[*].serviceAccountJsonSecretRef", "mysql_legacy[*].tls_certificate_key": "spec.forProvider.mysqlLegacy[*].tlsCertificateKeySecretRef", "mysql_rds[*].password": "spec.forProvider.mysqlRds[*].passwordSecretRef", "mysql_rds[*].service_account_json": "spec.forProvider.mysqlRds[*].serviceAccountJsonSecretRef", "mysql_rds[*].tls_certificate_key": "spec.forProvider.mysqlRds[*].tlsCertificateKeySecretRef", "oracle[*].password": "spec.forProvider.oracle[*].passwordSecretRef", "postgresql[*].password": "spec.forProvider.postgresql[*].passwordSecretRef", "postgresql[*].service_account_json": "spec.forProvider.postgresql[*].serviceAccountJsonSecretRef", "redis[*].password": "spec.forProvider.redis[*].passwordSecretRef", "redis_elasticache[*].password": "spec.forProvider.redisElasticache[*].passwordSecretRef", "redis_elasticache[*].username": "spec.forProvider.redisElasticache[*].usernameSecretRef", "redshift[*].password": "spec.forProvider.redshift[*].passwordSecretRef", "snowflake[*].password": "spec.forProvider.snowflake[*].passwordSecretRef"} -} - -// GetObservation of this SecretsMount -func (tr *SecretsMount) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretsMount -func (tr *SecretsMount) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretsMount -func (tr *SecretsMount) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretsMount -func (tr *SecretsMount) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretsMount -func (tr *SecretsMount) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretsMount -func (tr *SecretsMount) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretsMount using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretsMount) LateInitialize(attrs []byte) (bool, error) { - params := &SecretsMountParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretsMount) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/database/v1alpha1/zz_secretbackendconnection_terraformed.go b/apis/database/v1alpha1/zz_secretbackendconnection_terraformed.go new file mode 100755 index 00000000..312b9022 --- /dev/null +++ b/apis/database/v1alpha1/zz_secretbackendconnection_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendConnection +func (mg *SecretBackendConnection) GetTerraformResourceType() string { + return "vault_database_secret_backend_connection" +} + +// GetConnectionDetailsMapping for this SecretBackendConnection +func (tr *SecretBackendConnection) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"cassandra[*].password": "cassandra[*].passwordSecretRef", "cassandra[*].pem_bundle": "cassandra[*].pemBundleSecretRef", "cassandra[*].pem_json": "cassandra[*].pemJsonSecretRef", "couchbase[*].base64_pem": "couchbase[*].base64PemSecretRef", "couchbase[*].password": "couchbase[*].passwordSecretRef", "elasticsearch[*].password": "elasticsearch[*].passwordSecretRef", "hana[*].password": "hana[*].passwordSecretRef", "influxdb[*].password": "influxdb[*].passwordSecretRef", "influxdb[*].pem_bundle": "influxdb[*].pemBundleSecretRef", "influxdb[*].pem_json": "influxdb[*].pemJsonSecretRef", "mongodb[*].password": "mongodb[*].passwordSecretRef", "mongodbatlas[*].private_key": "mongodbatlas[*].privateKeySecretRef", "mssql[*].password": "mssql[*].passwordSecretRef", "mysql[*].password": "mysql[*].passwordSecretRef", "mysql[*].service_account_json": "mysql[*].serviceAccountJsonSecretRef", "mysql[*].tls_certificate_key": "mysql[*].tlsCertificateKeySecretRef", "mysql_aurora[*].password": "mysqlAurora[*].passwordSecretRef", "mysql_aurora[*].service_account_json": "mysqlAurora[*].serviceAccountJsonSecretRef", "mysql_aurora[*].tls_certificate_key": "mysqlAurora[*].tlsCertificateKeySecretRef", "mysql_legacy[*].password": "mysqlLegacy[*].passwordSecretRef", "mysql_legacy[*].service_account_json": "mysqlLegacy[*].serviceAccountJsonSecretRef", "mysql_legacy[*].tls_certificate_key": "mysqlLegacy[*].tlsCertificateKeySecretRef", "mysql_rds[*].password": "mysqlRds[*].passwordSecretRef", "mysql_rds[*].service_account_json": "mysqlRds[*].serviceAccountJsonSecretRef", "mysql_rds[*].tls_certificate_key": "mysqlRds[*].tlsCertificateKeySecretRef", "oracle[*].password": "oracle[*].passwordSecretRef", "postgresql[*].password": "postgresql[*].passwordSecretRef", "postgresql[*].service_account_json": "postgresql[*].serviceAccountJsonSecretRef", "redis[*].password": "redis[*].passwordSecretRef", "redis_elasticache[*].password": "redisElasticache[*].passwordSecretRef", "redis_elasticache[*].username": "redisElasticache[*].usernameSecretRef", "redshift[*].password": "redshift[*].passwordSecretRef", "snowflake[*].password": "snowflake[*].passwordSecretRef"} +} + +// GetObservation of this SecretBackendConnection +func (tr *SecretBackendConnection) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendConnection +func (tr *SecretBackendConnection) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendConnection +func (tr *SecretBackendConnection) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendConnection +func (tr *SecretBackendConnection) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendConnection +func (tr *SecretBackendConnection) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendConnection +func (tr *SecretBackendConnection) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendConnection +func (tr *SecretBackendConnection) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendConnection using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendConnection) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendConnectionParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendConnection) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/database/v1alpha1/zz_secretbackendconnection_types.go b/apis/database/v1alpha1/zz_secretbackendconnection_types.go index 79bdb9d2..64882119 100755 --- a/apis/database/v1alpha1/zz_secretbackendconnection_types.go +++ b/apis/database/v1alpha1/zz_secretbackendconnection_types.go @@ -29,6 +29,19 @@ type CassandraInitParameters struct { // Whether to skip verification of the server certificate when using TLS. InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"` + // The password to authenticate with. + // The password to use when authenticating with Cassandra. + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + + // Concatenated PEM blocks configuring the certificate + // chain. + // Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + PemBundleSecretRef *v1.SecretKeySelector `json:"pemBundleSecretRef,omitempty" tf:"-"` + + // A JSON structure configuring the certificate chain. + // Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + PemJSONSecretRef *v1.SecretKeySelector `json:"pemJsonSecretRef,omitempty" tf:"-"` + // The default port to connect to if no port is specified as // part of the host. // The transport port to use to connect to Cassandra. @@ -140,6 +153,10 @@ type CassandraParameters struct { type CouchbaseInitParameters struct { + // Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + // Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + Base64PemSecretRef *v1.SecretKeySelector `json:"base64PemSecretRef,omitempty" tf:"-"` + // Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. // Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"` @@ -153,6 +170,10 @@ type CouchbaseInitParameters struct { // Specifies whether to skip verification of the server certificate when using TLS. InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"` + // The password to authenticate with. + // Specifies the password corresponding to the given username. + PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` + // Whether to use TLS when connecting to Cassandra. // Specifies whether to use TLS when connecting to Couchbase. TLS *bool `json:"tls,omitempty" tf:"tls,omitempty"` @@ -209,7 +230,7 @@ type CouchbaseParameters struct { // The hosts to connect to. // A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. // +kubebuilder:validation:Optional - Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"` + Hosts []*string `json:"hosts" tf:"hosts,omitempty"` // Whether to skip verification of the server // certificate when using TLS. @@ -219,7 +240,7 @@ type CouchbaseParameters struct { // The password to authenticate with. // Specifies the password corresponding to the given username. - // +kubebuilder:validation:Required + // +kubebuilder:validation:Optional PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` // Whether to use TLS when connecting to Cassandra. @@ -230,7 +251,7 @@ type CouchbaseParameters struct { // The username to authenticate with. // Specifies the username for Vault to use. // +kubebuilder:validation:Optional - Username *string `json:"username,omitempty" tf:"username,omitempty"` + Username *string `json:"username" tf:"username,omitempty"` // Template describing how dynamic usernames are generated. // Template describing how dynamic usernames are generated. @@ -260,6 +281,10 @@ type ElasticsearchInitParameters struct { // Whether to disable certificate verification Insecure *bool `json:"insecure,omitempty" tf:"insecure,omitempty"` + // The password to authenticate with. + // The password to be used in the connection URL + PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` + // This, if set, is used to set the SNI host when connecting via TLS. // This, if set, is used to set the SNI host when connecting via TLS TLSServerName *string `json:"tlsServerName,omitempty" tf:"tls_server_name,omitempty"` @@ -345,7 +370,7 @@ type ElasticsearchParameters struct { // The password to authenticate with. // The password to be used in the connection URL - // +kubebuilder:validation:Required + // +kubebuilder:validation:Optional PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` // This, if set, is used to set the SNI host when connecting via TLS. @@ -356,12 +381,12 @@ type ElasticsearchParameters struct { // The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. // The URL for Elasticsearch's API // +kubebuilder:validation:Optional - URL *string `json:"url,omitempty" tf:"url,omitempty"` + URL *string `json:"url" tf:"url,omitempty"` // The username to authenticate with. // The username to be used in the connection URL // +kubebuilder:validation:Optional - Username *string `json:"username,omitempty" tf:"username,omitempty"` + Username *string `json:"username" tf:"username,omitempty"` // Template describing how dynamic usernames are generated. // Template describing how dynamic usernames are generated. @@ -397,6 +422,10 @@ type HanaInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -495,6 +524,19 @@ type InfluxdbInitParameters struct { // Whether to skip verification of the server certificate when using TLS. InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"` + // The password to authenticate with. + // Specifies the password corresponding to the given username. + PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` + + // Concatenated PEM blocks configuring the certificate + // chain. + // Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + PemBundleSecretRef *v1.SecretKeySelector `json:"pemBundleSecretRef,omitempty" tf:"-"` + + // A JSON structure configuring the certificate chain. + // Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + PemJSONSecretRef *v1.SecretKeySelector `json:"pemJsonSecretRef,omitempty" tf:"-"` + // The default port to connect to if no port is specified as // part of the host. // The transport port to use to connect to Influxdb. @@ -558,7 +600,7 @@ type InfluxdbParameters struct { // The host to connect to. // Influxdb host to connect to. // +kubebuilder:validation:Optional - Host *string `json:"host,omitempty" tf:"host,omitempty"` + Host *string `json:"host" tf:"host,omitempty"` // Whether to skip verification of the server // certificate when using TLS. @@ -568,7 +610,7 @@ type InfluxdbParameters struct { // The password to authenticate with. // Specifies the password corresponding to the given username. - // +kubebuilder:validation:Required + // +kubebuilder:validation:Optional PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` // Concatenated PEM blocks configuring the certificate @@ -596,7 +638,7 @@ type InfluxdbParameters struct { // The username to authenticate with. // Specifies the username to use for superuser access. // +kubebuilder:validation:Optional - Username *string `json:"username,omitempty" tf:"username,omitempty"` + Username *string `json:"username" tf:"username,omitempty"` // Template describing how dynamic usernames are generated. // Template describing how dynamic usernames are generated. @@ -628,6 +670,10 @@ type MongodbInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -716,6 +762,10 @@ type MongodbParameters struct { type MongodbatlasInitParameters struct { + // The Private Programmatic API Key used to connect with MongoDB Atlas API. + // The Private Programmatic API Key used to connect with MongoDB Atlas API. + PrivateKeySecretRef v1.SecretKeySelector `json:"privateKeySecretRef" tf:"-"` + // The Project ID the Database User should be created within. // The Project ID the Database User should be created within. ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` @@ -740,18 +790,18 @@ type MongodbatlasParameters struct { // The Private Programmatic API Key used to connect with MongoDB Atlas API. // The Private Programmatic API Key used to connect with MongoDB Atlas API. - // +kubebuilder:validation:Required + // +kubebuilder:validation:Optional PrivateKeySecretRef v1.SecretKeySelector `json:"privateKeySecretRef" tf:"-"` // The Project ID the Database User should be created within. // The Project ID the Database User should be created within. // +kubebuilder:validation:Optional - ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + ProjectID *string `json:"projectId" tf:"project_id,omitempty"` // The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. // The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. // +kubebuilder:validation:Optional - PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"` + PublicKey *string `json:"publicKey" tf:"public_key,omitempty"` } type MssqlInitParameters struct { @@ -789,6 +839,10 @@ type MssqlInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -927,10 +981,22 @@ type MySQLAuroraInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + + // JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + // A JSON encoded credential for use with IAM authorization + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1073,10 +1139,22 @@ type MySQLInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + + // JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + // A JSON encoded credential for use with IAM authorization + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1114,10 +1192,22 @@ type MySQLLegacyInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + + // JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + // A JSON encoded credential for use with IAM authorization + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1365,10 +1455,22 @@ type MySQLRDSInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + + // JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + // A JSON encoded credential for use with IAM authorization + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1511,6 +1613,10 @@ type OracleInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Enable spliting statements after semi-colons. // Set to true in order to split statements after semi-colons. SplitStatements *bool `json:"splitStatements,omitempty" tf:"split_statements,omitempty"` @@ -1651,6 +1757,14 @@ type PostgresqlInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + + // JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + // A JSON encoded credential for use with IAM authorization + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1762,6 +1876,10 @@ type PostgresqlParameters struct { type RedisElasticacheInitParameters struct { + // The password to authenticate with. + // The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead. // The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. Region *string `json:"region,omitempty" tf:"region,omitempty"` @@ -1769,6 +1887,10 @@ type RedisElasticacheInitParameters struct { // The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. // The configuration endpoint for the ElastiCache cluster to connect to. URL *string `json:"url,omitempty" tf:"url,omitempty"` + + // The username to authenticate with. + // The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + UsernameSecretRef *v1.SecretKeySelector `json:"usernameSecretRef,omitempty" tf:"-"` } type RedisElasticacheObservation struct { @@ -1797,7 +1919,7 @@ type RedisElasticacheParameters struct { // The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. // The configuration endpoint for the ElastiCache cluster to connect to. // +kubebuilder:validation:Optional - URL *string `json:"url,omitempty" tf:"url,omitempty"` + URL *string `json:"url" tf:"url,omitempty"` // The username to authenticate with. // The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. @@ -1820,6 +1942,10 @@ type RedisInitParameters struct { // Specifies whether to skip verification of the server certificate when using TLS. InsecureTLS *bool `json:"insecureTls,omitempty" tf:"insecure_tls,omitempty"` + // The password to authenticate with. + // Specifies the password corresponding to the given username. + PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` + // The default port to connect to if no port is specified as // part of the host. // The transport port to use to connect to Redis. @@ -1873,7 +1999,7 @@ type RedisParameters struct { // The host to connect to. // Specifies the host to connect to // +kubebuilder:validation:Optional - Host *string `json:"host,omitempty" tf:"host,omitempty"` + Host *string `json:"host" tf:"host,omitempty"` // Whether to skip verification of the server // certificate when using TLS. @@ -1883,7 +2009,7 @@ type RedisParameters struct { // The password to authenticate with. // Specifies the password corresponding to the given username. - // +kubebuilder:validation:Required + // +kubebuilder:validation:Optional PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` // The default port to connect to if no port is specified as @@ -1900,7 +2026,7 @@ type RedisParameters struct { // The username to authenticate with. // Specifies the username for Vault to use. // +kubebuilder:validation:Optional - Username *string `json:"username,omitempty" tf:"username,omitempty"` + Username *string `json:"username" tf:"username,omitempty"` } type RedshiftInitParameters struct { @@ -1931,6 +2057,10 @@ type RedshiftInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -2035,8 +2165,18 @@ type SecretBackendConnectionInitParameters struct { // The unique name of the Vault mount to configure. // Unique name of the Vault mount to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // A nested block containing configuration options for Cassandra connections. // Connection parameters for the cassandra-database-plugin plugin. Cassandra []CassandraInitParameters `json:"cassandra,omitempty" tf:"cassandra,omitempty"` @@ -2047,6 +2187,7 @@ type SecretBackendConnectionInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // A nested block containing configuration options for Elasticsearch connections. @@ -2158,6 +2299,7 @@ type SecretBackendConnectionObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // A nested block containing configuration options for Elasticsearch connections. @@ -2260,9 +2402,19 @@ type SecretBackendConnectionParameters struct { // The unique name of the Vault mount to configure. // Unique name of the Vault mount to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // A nested block containing configuration options for Cassandra connections. // Connection parameters for the cassandra-database-plugin plugin. // +kubebuilder:validation:Optional @@ -2276,6 +2428,7 @@ type SecretBackendConnectionParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // A nested block containing configuration options for Elasticsearch connections. @@ -2411,6 +2564,10 @@ type SnowflakeInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -2501,9 +2658,8 @@ type SnowflakeParameters struct { type SecretBackendConnectionSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendConnectionParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -2522,19 +2678,19 @@ type SecretBackendConnectionStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendConnection is the Schema for the SecretBackendConnections API. Configures a database secret backend connection for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendConnection struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec SecretBackendConnectionSpec `json:"spec"` Status SecretBackendConnectionStatus `json:"status,omitempty"` } diff --git a/apis/database/v1alpha1/zz_secretbackendrole_terraformed.go b/apis/database/v1alpha1/zz_secretbackendrole_terraformed.go new file mode 100755 index 00000000..b542c352 --- /dev/null +++ b/apis/database/v1alpha1/zz_secretbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendRole +func (mg *SecretBackendRole) GetTerraformResourceType() string { + return "vault_database_secret_backend_role" +} + +// GetConnectionDetailsMapping for this SecretBackendRole +func (tr *SecretBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendRole +func (tr *SecretBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendRole +func (tr *SecretBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendRole +func (tr *SecretBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendRole +func (tr *SecretBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/database/v1alpha1/zz_secretbackendrole_types.go b/apis/database/v1alpha1/zz_secretbackendrole_types.go index 65caf2ed..b84d41a4 100755 --- a/apis/database/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/database/v1alpha1/zz_secretbackendrole_types.go @@ -17,8 +17,18 @@ type SecretBackendRoleInitParameters struct { // The unique name of the Vault mount to configure. // The path of the Database Secret Backend the role belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The database statements to execute when // creating a user. // Database statements to execute to create and configure a user. @@ -27,6 +37,7 @@ type SecretBackendRoleInitParameters struct { // – Specifies the configuration // for the given credential_type. // Specifies the configuration for the given credential_type. + // +mapType=granular CredentialConfig map[string]*string `json:"credentialConfig,omitempty" tf:"credential_config,omitempty"` // – Specifies the type of credential that @@ -38,8 +49,18 @@ type SecretBackendRoleInitParameters struct { // The unique name of the database connection to use for // the role. // Database connection to use for this role. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/database/v1alpha1.SecretBackendConnection + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"` + // Reference to a SecretBackendConnection in database to populate dbName. + // +kubebuilder:validation:Optional + DBNameRef *v1.Reference `json:"dbNameRef,omitempty" tf:"-"` + + // Selector for a SecretBackendConnection in database to populate dbName. + // +kubebuilder:validation:Optional + DBNameSelector *v1.Selector `json:"dbNameSelector,omitempty" tf:"-"` + // The default number of seconds for leases for this // role. // Default TTL for leases associated with this role, in seconds. @@ -91,6 +112,7 @@ type SecretBackendRoleObservation struct { // – Specifies the configuration // for the given credential_type. // Specifies the configuration for the given credential_type. + // +mapType=granular CredentialConfig map[string]*string `json:"credentialConfig,omitempty" tf:"credential_config,omitempty"` // – Specifies the type of credential that @@ -147,9 +169,19 @@ type SecretBackendRoleParameters struct { // The unique name of the Vault mount to configure. // The path of the Database Secret Backend the role belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The database statements to execute when // creating a user. // Database statements to execute to create and configure a user. @@ -160,6 +192,7 @@ type SecretBackendRoleParameters struct { // for the given credential_type. // Specifies the configuration for the given credential_type. // +kubebuilder:validation:Optional + // +mapType=granular CredentialConfig map[string]*string `json:"credentialConfig,omitempty" tf:"credential_config,omitempty"` // – Specifies the type of credential that @@ -172,9 +205,19 @@ type SecretBackendRoleParameters struct { // The unique name of the database connection to use for // the role. // Database connection to use for this role. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/database/v1alpha1.SecretBackendConnection + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) // +kubebuilder:validation:Optional DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"` + // Reference to a SecretBackendConnection in database to populate dbName. + // +kubebuilder:validation:Optional + DBNameRef *v1.Reference `json:"dbNameRef,omitempty" tf:"-"` + + // Selector for a SecretBackendConnection in database to populate dbName. + // +kubebuilder:validation:Optional + DBNameSelector *v1.Selector `json:"dbNameSelector,omitempty" tf:"-"` + // The default number of seconds for leases for this // role. // Default TTL for leases associated with this role, in seconds. @@ -223,9 +266,8 @@ type SecretBackendRoleParameters struct { type SecretBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -244,21 +286,20 @@ type SecretBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendRole is the Schema for the SecretBackendRoles API. Configures a database secret backend role for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.creationStatements) || has(self.initProvider.creationStatements)",message="creationStatements is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dbName) || has(self.initProvider.dbName)",message="dbName is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.creationStatements) || (has(self.initProvider) && has(self.initProvider.creationStatements))",message="spec.forProvider.creationStatements is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec SecretBackendRoleSpec `json:"spec"` Status SecretBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/database/v1alpha1/zz_secretbackendstaticrole_terraformed.go b/apis/database/v1alpha1/zz_secretbackendstaticrole_terraformed.go new file mode 100755 index 00000000..92165062 --- /dev/null +++ b/apis/database/v1alpha1/zz_secretbackendstaticrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendStaticRole +func (mg *SecretBackendStaticRole) GetTerraformResourceType() string { + return "vault_database_secret_backend_static_role" +} + +// GetConnectionDetailsMapping for this SecretBackendStaticRole +func (tr *SecretBackendStaticRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendStaticRole +func (tr *SecretBackendStaticRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendStaticRole +func (tr *SecretBackendStaticRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendStaticRole +func (tr *SecretBackendStaticRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendStaticRole +func (tr *SecretBackendStaticRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendStaticRole +func (tr *SecretBackendStaticRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendStaticRole +func (tr *SecretBackendStaticRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendStaticRole +func (tr *SecretBackendStaticRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendStaticRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendStaticRole) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendStaticRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendStaticRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go b/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go index 3ec6f33b..556e0c66 100755 --- a/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go +++ b/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go @@ -17,12 +17,32 @@ type SecretBackendStaticRoleInitParameters struct { // The unique name of the Vault mount to configure. // The path of the Database Secret Backend the role belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The unique name of the database connection to use for the static role. // Database connection to use for this role. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/database/v1alpha1.SecretBackendConnection + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"` + // Reference to a SecretBackendConnection in database to populate dbName. + // +kubebuilder:validation:Optional + DBNameRef *v1.Reference `json:"dbNameRef,omitempty" tf:"-"` + + // Selector for a SecretBackendConnection in database to populate dbName. + // +kubebuilder:validation:Optional + DBNameSelector *v1.Selector `json:"dbNameSelector,omitempty" tf:"-"` + // A unique name to give the static role. // Unique name for the static role. Name *string `json:"name,omitempty" tf:"name,omitempty"` @@ -109,14 +129,34 @@ type SecretBackendStaticRoleParameters struct { // The unique name of the Vault mount to configure. // The path of the Database Secret Backend the role belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The unique name of the database connection to use for the static role. // Database connection to use for this role. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/database/v1alpha1.SecretBackendConnection + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) // +kubebuilder:validation:Optional DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"` + // Reference to a SecretBackendConnection in database to populate dbName. + // +kubebuilder:validation:Optional + DBNameRef *v1.Reference `json:"dbNameRef,omitempty" tf:"-"` + + // Selector for a SecretBackendConnection in database to populate dbName. + // +kubebuilder:validation:Optional + DBNameSelector *v1.Selector `json:"dbNameSelector,omitempty" tf:"-"` + // A unique name to give the static role. // Unique name for the static role. // +kubebuilder:validation:Optional @@ -163,9 +203,8 @@ type SecretBackendStaticRoleParameters struct { type SecretBackendStaticRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendStaticRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -184,21 +223,20 @@ type SecretBackendStaticRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendStaticRole is the Schema for the SecretBackendStaticRoles API. Configures a database secret backend static role for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendStaticRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dbName) || has(self.initProvider.dbName)",message="dbName is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.username) || has(self.initProvider.username)",message="username is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.username) || (has(self.initProvider) && has(self.initProvider.username))",message="spec.forProvider.username is a required parameter" Spec SecretBackendStaticRoleSpec `json:"spec"` Status SecretBackendStaticRoleStatus `json:"status,omitempty"` } diff --git a/apis/database/v1alpha1/zz_secretsmount_terraformed.go b/apis/database/v1alpha1/zz_secretsmount_terraformed.go new file mode 100755 index 00000000..3d19def5 --- /dev/null +++ b/apis/database/v1alpha1/zz_secretsmount_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretsMount +func (mg *SecretsMount) GetTerraformResourceType() string { + return "vault_database_secrets_mount" +} + +// GetConnectionDetailsMapping for this SecretsMount +func (tr *SecretsMount) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"cassandra[*].password": "cassandra[*].passwordSecretRef", "cassandra[*].pem_bundle": "cassandra[*].pemBundleSecretRef", "cassandra[*].pem_json": "cassandra[*].pemJsonSecretRef", "couchbase[*].base64_pem": "couchbase[*].base64PemSecretRef", "couchbase[*].password": "couchbase[*].passwordSecretRef", "elasticsearch[*].password": "elasticsearch[*].passwordSecretRef", "hana[*].password": "hana[*].passwordSecretRef", "influxdb[*].password": "influxdb[*].passwordSecretRef", "influxdb[*].pem_bundle": "influxdb[*].pemBundleSecretRef", "influxdb[*].pem_json": "influxdb[*].pemJsonSecretRef", "mongodb[*].password": "mongodb[*].passwordSecretRef", "mongodbatlas[*].private_key": "mongodbatlas[*].privateKeySecretRef", "mssql[*].password": "mssql[*].passwordSecretRef", "mysql[*].password": "mysql[*].passwordSecretRef", "mysql[*].service_account_json": "mysql[*].serviceAccountJsonSecretRef", "mysql[*].tls_certificate_key": "mysql[*].tlsCertificateKeySecretRef", "mysql_aurora[*].password": "mysqlAurora[*].passwordSecretRef", "mysql_aurora[*].service_account_json": "mysqlAurora[*].serviceAccountJsonSecretRef", "mysql_aurora[*].tls_certificate_key": "mysqlAurora[*].tlsCertificateKeySecretRef", "mysql_legacy[*].password": "mysqlLegacy[*].passwordSecretRef", "mysql_legacy[*].service_account_json": "mysqlLegacy[*].serviceAccountJsonSecretRef", "mysql_legacy[*].tls_certificate_key": "mysqlLegacy[*].tlsCertificateKeySecretRef", "mysql_rds[*].password": "mysqlRds[*].passwordSecretRef", "mysql_rds[*].service_account_json": "mysqlRds[*].serviceAccountJsonSecretRef", "mysql_rds[*].tls_certificate_key": "mysqlRds[*].tlsCertificateKeySecretRef", "oracle[*].password": "oracle[*].passwordSecretRef", "postgresql[*].password": "postgresql[*].passwordSecretRef", "postgresql[*].service_account_json": "postgresql[*].serviceAccountJsonSecretRef", "redis[*].password": "redis[*].passwordSecretRef", "redis_elasticache[*].password": "redisElasticache[*].passwordSecretRef", "redis_elasticache[*].username": "redisElasticache[*].usernameSecretRef", "redshift[*].password": "redshift[*].passwordSecretRef", "snowflake[*].password": "snowflake[*].passwordSecretRef"} +} + +// GetObservation of this SecretsMount +func (tr *SecretsMount) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretsMount +func (tr *SecretsMount) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretsMount +func (tr *SecretsMount) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretsMount +func (tr *SecretsMount) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretsMount +func (tr *SecretsMount) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretsMount +func (tr *SecretsMount) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretsMount +func (tr *SecretsMount) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretsMount using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretsMount) LateInitialize(attrs []byte) (bool, error) { + params := &SecretsMountParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretsMount) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/database/v1alpha1/zz_secretsmount_types.go b/apis/database/v1alpha1/zz_secretsmount_types.go index 6738d19b..800295c3 100755 --- a/apis/database/v1alpha1/zz_secretsmount_types.go +++ b/apis/database/v1alpha1/zz_secretsmount_types.go @@ -27,6 +27,7 @@ type SecretsMountCassandraInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The hosts to connect to. @@ -42,6 +43,19 @@ type SecretsMountCassandraInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The password to use when authenticating with Cassandra. + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + + // Concatenated PEM blocks configuring the certificate + // chain. + // Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + PemBundleSecretRef *v1.SecretKeySelector `json:"pemBundleSecretRef,omitempty" tf:"-"` + + // A JSON structure configuring the certificate chain. + // Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + PemJSONSecretRef *v1.SecretKeySelector `json:"pemJsonSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -87,6 +101,7 @@ type SecretsMountCassandraObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The hosts to connect to. @@ -150,6 +165,7 @@ type SecretsMountCassandraParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The hosts to connect to. @@ -166,7 +182,7 @@ type SecretsMountCassandraParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The password to use when authenticating with Cassandra. @@ -229,12 +245,17 @@ type SecretsMountCouchbaseInitParameters struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + // Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + Base64PemSecretRef *v1.SecretKeySelector `json:"base64PemSecretRef,omitempty" tf:"-"` + // Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. // Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"` // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The hosts to connect to. @@ -250,6 +271,10 @@ type SecretsMountCouchbaseInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // Specifies the password corresponding to the given username. + PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -289,6 +314,7 @@ type SecretsMountCouchbaseObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The hosts to connect to. @@ -351,12 +377,13 @@ type SecretsMountCouchbaseParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The hosts to connect to. // A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. // +kubebuilder:validation:Optional - Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"` + Hosts []*string `json:"hosts" tf:"hosts,omitempty"` // Whether to skip verification of the server // certificate when using TLS. @@ -367,11 +394,11 @@ type SecretsMountCouchbaseParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // Specifies the password corresponding to the given username. - // +kubebuilder:validation:Required + // +kubebuilder:validation:Optional PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` // Specifies the name of the plugin to use. @@ -392,7 +419,7 @@ type SecretsMountCouchbaseParameters struct { // The username to authenticate with. // Specifies the username for Vault to use. // +kubebuilder:validation:Optional - Username *string `json:"username,omitempty" tf:"username,omitempty"` + Username *string `json:"username" tf:"username,omitempty"` // Template describing how dynamic usernames are generated. // Template describing how dynamic usernames are generated. @@ -431,6 +458,7 @@ type SecretsMountElasticsearchInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Whether to disable certificate verification. @@ -441,6 +469,10 @@ type SecretsMountElasticsearchInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The password to be used in the connection URL + PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -497,6 +529,7 @@ type SecretsMountElasticsearchObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Whether to disable certificate verification. @@ -569,6 +602,7 @@ type SecretsMountElasticsearchParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Whether to disable certificate verification. @@ -579,11 +613,11 @@ type SecretsMountElasticsearchParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The password to be used in the connection URL - // +kubebuilder:validation:Required + // +kubebuilder:validation:Optional PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` // Specifies the name of the plugin to use. @@ -605,12 +639,12 @@ type SecretsMountElasticsearchParameters struct { // by trusted CA if used. // The URL for Elasticsearch's API // +kubebuilder:validation:Optional - URL *string `json:"url,omitempty" tf:"url,omitempty"` + URL *string `json:"url" tf:"url,omitempty"` // The username to authenticate with. // The username to be used in the connection URL // +kubebuilder:validation:Optional - Username *string `json:"username,omitempty" tf:"username,omitempty"` + Username *string `json:"username" tf:"username,omitempty"` // Template describing how dynamic usernames are generated. // Template describing how dynamic usernames are generated. @@ -638,6 +672,7 @@ type SecretsMountHanaInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -663,6 +698,10 @@ type SecretsMountHanaInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -695,6 +734,7 @@ type SecretsMountHanaObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -755,6 +795,7 @@ type SecretsMountHanaParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -783,7 +824,7 @@ type SecretsMountHanaParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -826,6 +867,7 @@ type SecretsMountInfluxdbInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The host to connect to. @@ -841,6 +883,19 @@ type SecretsMountInfluxdbInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // Specifies the password corresponding to the given username. + PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` + + // Concatenated PEM blocks configuring the certificate + // chain. + // Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + PemBundleSecretRef *v1.SecretKeySelector `json:"pemBundleSecretRef,omitempty" tf:"-"` + + // A JSON structure configuring the certificate chain. + // Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + PemJSONSecretRef *v1.SecretKeySelector `json:"pemJsonSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -886,6 +941,7 @@ type SecretsMountInfluxdbObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The host to connect to. @@ -949,12 +1005,13 @@ type SecretsMountInfluxdbParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The host to connect to. // Influxdb host to connect to. // +kubebuilder:validation:Optional - Host *string `json:"host,omitempty" tf:"host,omitempty"` + Host *string `json:"host" tf:"host,omitempty"` // Whether to skip verification of the server // certificate when using TLS. @@ -965,11 +1022,11 @@ type SecretsMountInfluxdbParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // Specifies the password corresponding to the given username. - // +kubebuilder:validation:Required + // +kubebuilder:validation:Optional PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` // Concatenated PEM blocks configuring the certificate @@ -1007,7 +1064,7 @@ type SecretsMountInfluxdbParameters struct { // The username to authenticate with. // Specifies the username to use for superuser access. // +kubebuilder:validation:Optional - Username *string `json:"username,omitempty" tf:"username,omitempty"` + Username *string `json:"username" tf:"username,omitempty"` // Template describing how dynamic usernames are generated. // Template describing how dynamic usernames are generated. @@ -1025,8 +1082,12 @@ type SecretsMountInitParameters struct { // Set of managed key registry entry names that the mount in question is allowed to access // List of managed key registry entry names that the mount in question is allowed to access + // +listType=set AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -1049,6 +1110,9 @@ type SecretsMountInitParameters struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -1067,11 +1131,17 @@ type SecretsMountInitParameters struct { // Connection parameters for the hana-database-plugin plugin. Hana []SecretsMountHanaInitParameters `json:"hana,omitempty" tf:"hana,omitempty"` + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A nested block containing configuration options for InfluxDB connections. // See // Connection parameters for the influxdb-database-plugin plugin. Influxdb []SecretsMountInfluxdbInitParameters `json:"influxdb,omitempty" tf:"influxdb,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -1120,6 +1190,7 @@ type SecretsMountInitParameters struct { // Specifies mount type specific options that are passed to the backend // Specifies mount type specific options that are passed to the backend + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` // A nested block containing configuration options for Oracle connections. @@ -1127,10 +1198,16 @@ type SecretsMountInitParameters struct { // Connection parameters for the oracle-database-plugin plugin. Oracle []SecretsMountOracleInitParameters `json:"oracle,omitempty" tf:"oracle,omitempty"` + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // A nested block containing configuration options for PostgreSQL connections. // See // Connection parameters for the postgresql-database-plugin plugin. @@ -1175,6 +1252,7 @@ type SecretsMountMongodbInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -1196,6 +1274,10 @@ type SecretsMountMongodbInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -1232,6 +1314,7 @@ type SecretsMountMongodbObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -1292,6 +1375,7 @@ type SecretsMountMongodbParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -1315,7 +1399,7 @@ type SecretsMountMongodbParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -1358,6 +1442,7 @@ type SecretsMountMongodbatlasInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // for any configured database engine is changed @@ -1368,6 +1453,10 @@ type SecretsMountMongodbatlasInitParameters struct { // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` + // The Private Programmatic API Key used to connect with MongoDB Atlas API. + // The Private Programmatic API Key used to connect with MongoDB Atlas API. + PrivateKeySecretRef v1.SecretKeySelector `json:"privateKeySecretRef" tf:"-"` + // The Project ID the Database User should be created within. // The Project ID the Database User should be created within. ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` @@ -1395,6 +1484,7 @@ type SecretsMountMongodbatlasObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // for any configured database engine is changed @@ -1434,12 +1524,13 @@ type SecretsMountMongodbatlasParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. @@ -1448,18 +1539,18 @@ type SecretsMountMongodbatlasParameters struct { // The Private Programmatic API Key used to connect with MongoDB Atlas API. // The Private Programmatic API Key used to connect with MongoDB Atlas API. - // +kubebuilder:validation:Required + // +kubebuilder:validation:Optional PrivateKeySecretRef v1.SecretKeySelector `json:"privateKeySecretRef" tf:"-"` // The Project ID the Database User should be created within. // The Project ID the Database User should be created within. // +kubebuilder:validation:Optional - ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + ProjectID *string `json:"projectId" tf:"project_id,omitempty"` // The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. // The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. // +kubebuilder:validation:Optional - PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"` + PublicKey *string `json:"publicKey" tf:"public_key,omitempty"` // A list of database statements to be executed to rotate the root user's credentials. // A list of database statements to be executed to rotate the root user's credentials. @@ -1493,6 +1584,7 @@ type SecretsMountMssqlInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -1518,6 +1610,10 @@ type SecretsMountMssqlInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -1560,6 +1656,7 @@ type SecretsMountMssqlObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -1631,6 +1728,7 @@ type SecretsMountMssqlParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -1659,7 +1757,7 @@ type SecretsMountMssqlParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -1710,6 +1808,7 @@ type SecretsMountMySQLAuroraInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -1731,6 +1830,10 @@ type SecretsMountMySQLAuroraInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -1739,10 +1842,17 @@ type SecretsMountMySQLAuroraInitParameters struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // A JSON encoded credential for use with IAM authorization + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1774,6 +1884,7 @@ type SecretsMountMySQLAuroraObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -1842,6 +1953,7 @@ type SecretsMountMySQLAuroraParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -1865,7 +1977,7 @@ type SecretsMountMySQLAuroraParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -1930,6 +2042,7 @@ type SecretsMountMySQLInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -1951,6 +2064,10 @@ type SecretsMountMySQLInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -1959,10 +2076,17 @@ type SecretsMountMySQLInitParameters struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // A JSON encoded credential for use with IAM authorization + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1994,6 +2118,7 @@ type SecretsMountMySQLLegacyInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -2015,6 +2140,10 @@ type SecretsMountMySQLLegacyInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -2023,10 +2152,17 @@ type SecretsMountMySQLLegacyInitParameters struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // A JSON encoded credential for use with IAM authorization + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -2058,6 +2194,7 @@ type SecretsMountMySQLLegacyObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -2126,6 +2263,7 @@ type SecretsMountMySQLLegacyParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -2149,7 +2287,7 @@ type SecretsMountMySQLLegacyParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -2214,6 +2352,7 @@ type SecretsMountMySQLObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -2282,6 +2421,7 @@ type SecretsMountMySQLParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -2305,7 +2445,7 @@ type SecretsMountMySQLParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -2370,6 +2510,7 @@ type SecretsMountMySQLRDSInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -2391,6 +2532,10 @@ type SecretsMountMySQLRDSInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -2399,10 +2544,17 @@ type SecretsMountMySQLRDSInitParameters struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // A JSON encoded credential for use with IAM authorization + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -2434,6 +2586,7 @@ type SecretsMountMySQLRDSObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -2502,6 +2655,7 @@ type SecretsMountMySQLRDSParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -2525,7 +2679,7 @@ type SecretsMountMySQLRDSParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -2580,8 +2734,12 @@ type SecretsMountObservation struct { // Set of managed key registry entry names that the mount in question is allowed to access // List of managed key registry entry names that the mount in question is allowed to access + // +listType=set AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -2604,6 +2762,9 @@ type SecretsMountObservation struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -2628,11 +2789,17 @@ type SecretsMountObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A nested block containing configuration options for InfluxDB connections. // See // Connection parameters for the influxdb-database-plugin plugin. Influxdb []SecretsMountInfluxdbObservation `json:"influxdb,omitempty" tf:"influxdb,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -2681,6 +2848,7 @@ type SecretsMountObservation struct { // Specifies mount type specific options that are passed to the backend // Specifies mount type specific options that are passed to the backend + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` // A nested block containing configuration options for Oracle connections. @@ -2688,10 +2856,16 @@ type SecretsMountObservation struct { // Connection parameters for the oracle-database-plugin plugin. Oracle []SecretsMountOracleObservation `json:"oracle,omitempty" tf:"oracle,omitempty"` + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // A nested block containing configuration options for PostgreSQL connections. // See // Connection parameters for the postgresql-database-plugin plugin. @@ -2736,6 +2910,7 @@ type SecretsMountOracleInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Set to true to disconnect any open sessions prior to running the revocation statements. @@ -2760,6 +2935,10 @@ type SecretsMountOracleInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -2799,6 +2978,7 @@ type SecretsMountOracleObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Set to true to disconnect any open sessions prior to running the revocation statements. @@ -2865,6 +3045,7 @@ type SecretsMountOracleParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Set to true to disconnect any open sessions prior to running the revocation statements. @@ -2892,7 +3073,7 @@ type SecretsMountOracleParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -2935,8 +3116,13 @@ type SecretsMountParameters struct { // Set of managed key registry entry names that the mount in question is allowed to access // List of managed key registry entry names that the mount in question is allowed to access // +kubebuilder:validation:Optional + // +listType=set AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // +kubebuilder:validation:Optional @@ -2964,6 +3150,10 @@ type SecretsMountParameters struct { // +kubebuilder:validation:Optional DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount // +kubebuilder:validation:Optional @@ -2986,12 +3176,20 @@ type SecretsMountParameters struct { // +kubebuilder:validation:Optional Hana []SecretsMountHanaParameters `json:"hana,omitempty" tf:"hana,omitempty"` + // The key to use for signing plugin workload identity tokens + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A nested block containing configuration options for InfluxDB connections. // See // Connection parameters for the influxdb-database-plugin plugin. // +kubebuilder:validation:Optional Influxdb []SecretsMountInfluxdbParameters `json:"influxdb,omitempty" tf:"influxdb,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + // +kubebuilder:validation:Optional + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment // +kubebuilder:validation:Optional @@ -3051,6 +3249,7 @@ type SecretsMountParameters struct { // Specifies mount type specific options that are passed to the backend // Specifies mount type specific options that are passed to the backend // +kubebuilder:validation:Optional + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` // A nested block containing configuration options for Oracle connections. @@ -3059,11 +3258,19 @@ type SecretsMountParameters struct { // +kubebuilder:validation:Optional Oracle []SecretsMountOracleParameters `json:"oracle,omitempty" tf:"oracle,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + // +kubebuilder:validation:Optional + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // A nested block containing configuration options for PostgreSQL connections. // See // Connection parameters for the postgresql-database-plugin plugin. @@ -3117,6 +3324,7 @@ type SecretsMountPostgresqlInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -3142,6 +3350,10 @@ type SecretsMountPostgresqlInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -3150,6 +3362,9 @@ type SecretsMountPostgresqlInitParameters struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // A JSON encoded credential for use with IAM authorization + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -3181,6 +3396,7 @@ type SecretsMountPostgresqlObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -3249,6 +3465,7 @@ type SecretsMountPostgresqlParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -3277,7 +3494,7 @@ type SecretsMountPostgresqlParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -3324,12 +3541,17 @@ type SecretsMountRedisElasticacheInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // for any configured database engine is changed // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -3348,6 +3570,10 @@ type SecretsMountRedisElasticacheInitParameters struct { // The configuration endpoint for the ElastiCache cluster to connect to. URL *string `json:"url,omitempty" tf:"url,omitempty"` + // The username to authenticate with. + // The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + UsernameSecretRef *v1.SecretKeySelector `json:"usernameSecretRef,omitempty" tf:"-"` + // Whether the connection should be verified on // initial configuration or not. // Specifies if the connection is verified during initial configuration. @@ -3363,6 +3589,7 @@ type SecretsMountRedisElasticacheObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // for any configured database engine is changed @@ -3404,12 +3631,13 @@ type SecretsMountRedisElasticacheParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. @@ -3436,7 +3664,7 @@ type SecretsMountRedisElasticacheParameters struct { // by trusted CA if used. // The configuration endpoint for the ElastiCache cluster to connect to. // +kubebuilder:validation:Optional - URL *string `json:"url,omitempty" tf:"url,omitempty"` + URL *string `json:"url" tf:"url,omitempty"` // The username to authenticate with. // The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. @@ -3463,6 +3691,7 @@ type SecretsMountRedisInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The host to connect to. @@ -3478,6 +3707,10 @@ type SecretsMountRedisInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // Specifies the password corresponding to the given username. + PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -3518,6 +3751,7 @@ type SecretsMountRedisObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The host to connect to. @@ -3576,12 +3810,13 @@ type SecretsMountRedisParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The host to connect to. // Specifies the host to connect to // +kubebuilder:validation:Optional - Host *string `json:"host,omitempty" tf:"host,omitempty"` + Host *string `json:"host" tf:"host,omitempty"` // Whether to skip verification of the server // certificate when using TLS. @@ -3592,11 +3827,11 @@ type SecretsMountRedisParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // Specifies the password corresponding to the given username. - // +kubebuilder:validation:Required + // +kubebuilder:validation:Optional PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` // Specifies the name of the plugin to use. @@ -3623,7 +3858,7 @@ type SecretsMountRedisParameters struct { // The username to authenticate with. // Specifies the username for Vault to use. // +kubebuilder:validation:Optional - Username *string `json:"username,omitempty" tf:"username,omitempty"` + Username *string `json:"username" tf:"username,omitempty"` // Whether the connection should be verified on // initial configuration or not. @@ -3646,6 +3881,7 @@ type SecretsMountRedshiftInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -3671,6 +3907,10 @@ type SecretsMountRedshiftInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -3707,6 +3947,7 @@ type SecretsMountRedshiftObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -3771,6 +4012,7 @@ type SecretsMountRedshiftParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // Disable special character escaping in username and password. @@ -3799,7 +4041,7 @@ type SecretsMountRedshiftParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -3847,6 +4089,7 @@ type SecretsMountSnowflakeInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -3868,6 +4111,10 @@ type SecretsMountSnowflakeInitParameters struct { // Name of the database connection. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // The password to authenticate with. + // The root credential password used in the connection URL + PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Specifies the name of the plugin to use. // Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. PluginName *string `json:"pluginName,omitempty" tf:"plugin_name,omitempty"` @@ -3904,6 +4151,7 @@ type SecretsMountSnowflakeObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -3964,6 +4212,7 @@ type SecretsMountSnowflakeParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // The maximum number of seconds to keep @@ -3987,7 +4236,7 @@ type SecretsMountSnowflakeParameters struct { // for any configured database engine is changed // Name of the database connection. // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The password to authenticate with. // The root credential password used in the connection URL @@ -4025,9 +4274,8 @@ type SecretsMountSnowflakeParameters struct { type SecretsMountSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretsMountParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -4046,18 +4294,19 @@ type SecretsMountStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretsMount is the Schema for the SecretsMounts API. Configures any number of database secrets engines under a single mount resource -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretsMount struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || (has(self.initProvider) && has(self.initProvider.path))",message="spec.forProvider.path is a required parameter" Spec SecretsMountSpec `json:"spec"` Status SecretsMountStatus `json:"status,omitempty"` } diff --git a/apis/egp/v1alpha1/zz_generated.conversion_hubs.go b/apis/egp/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..8de3d5b0 --- /dev/null +++ b/apis/egp/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Policy) Hub() {} diff --git a/apis/egp/v1alpha1/zz_generated.deepcopy.go b/apis/egp/v1alpha1/zz_generated.deepcopy.go index b19ca8f6..be07bc15 100644 --- a/apis/egp/v1alpha1/zz_generated.deepcopy.go +++ b/apis/egp/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. diff --git a/apis/egp/v1alpha1/zz_generated.managed.go b/apis/egp/v1alpha1/zz_generated.managed.go index a29e31ba..4bca39f2 100644 --- a/apis/egp/v1alpha1/zz_generated.managed.go +++ b/apis/egp/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Policy) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Policy. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Policy) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Policy. func (mg *Policy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Policy. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Policy) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Policy. func (mg *Policy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/egp/v1alpha1/zz_generated_terraformed.go b/apis/egp/v1alpha1/zz_policy_terraformed.go similarity index 69% rename from apis/egp/v1alpha1/zz_generated_terraformed.go rename to apis/egp/v1alpha1/zz_policy_terraformed.go index d7dbf4fa..d785da0c 100755 --- a/apis/egp/v1alpha1/zz_generated_terraformed.go +++ b/apis/egp/v1alpha1/zz_policy_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this Policy @@ -79,6 +80,36 @@ func (tr *Policy) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this Policy +func (tr *Policy) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this Policy using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *Policy) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/egp/v1alpha1/zz_policy_types.go b/apis/egp/v1alpha1/zz_policy_types.go index 1094eafa..549306b2 100755 --- a/apis/egp/v1alpha1/zz_policy_types.go +++ b/apis/egp/v1alpha1/zz_policy_types.go @@ -102,9 +102,8 @@ type PolicyParameters struct { type PolicySpec struct { v1.ResourceSpec `json:",inline"` ForProvider PolicyParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -123,21 +122,22 @@ type PolicyStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Policy is the Schema for the Policys API. Writes Sentinel endpoint governing policies for Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Policy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.enforcementLevel) || has(self.initProvider.enforcementLevel)",message="enforcementLevel is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.paths) || has(self.initProvider.paths)",message="paths is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || has(self.initProvider.policy)",message="policy is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.enforcementLevel) || (has(self.initProvider) && has(self.initProvider.enforcementLevel))",message="spec.forProvider.enforcementLevel is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.paths) || (has(self.initProvider) && has(self.initProvider.paths))",message="spec.forProvider.paths is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || (has(self.initProvider) && has(self.initProvider.policy))",message="spec.forProvider.policy is a required parameter" Spec PolicySpec `json:"spec"` Status PolicyStatus `json:"status,omitempty"` } diff --git a/apis/gcp/v1alpha1/zz_authbackend_terraformed.go b/apis/gcp/v1alpha1/zz_authbackend_terraformed.go new file mode 100755 index 00000000..4af46a09 --- /dev/null +++ b/apis/gcp/v1alpha1/zz_authbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackend +func (mg *AuthBackend) GetTerraformResourceType() string { + return "vault_gcp_auth_backend" +} + +// GetConnectionDetailsMapping for this AuthBackend +func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"credentials": "credentialsSecretRef"} +} + +// GetObservation of this AuthBackend +func (tr *AuthBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackend +func (tr *AuthBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackend +func (tr *AuthBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackend +func (tr *AuthBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackend +func (tr *AuthBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackend +func (tr *AuthBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackend +func (tr *AuthBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/gcp/v1alpha1/zz_authbackend_types.go b/apis/gcp/v1alpha1/zz_authbackend_types.go index 45041aa6..0eea35c3 100755 --- a/apis/gcp/v1alpha1/zz_authbackend_types.go +++ b/apis/gcp/v1alpha1/zz_authbackend_types.go @@ -18,6 +18,8 @@ type AuthBackendInitParameters struct { ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"` + CredentialsSecretRef *v1.SecretKeySelector `json:"credentialsSecretRef,omitempty" tf:"-"` + // Specifies overrides to service endpoints used when making API requests to GCP. CustomEndpoint []CustomEndpointInitParameters `json:"customEndpoint,omitempty" tf:"custom_endpoint,omitempty"` @@ -26,6 +28,15 @@ type AuthBackendInitParameters struct { // If set, opts out of mount migration on path updates. DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The audience claim value for plugin identity tokens. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -38,6 +49,9 @@ type AuthBackendInitParameters struct { ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + // Service Account to impersonate for plugin workload identity federation. + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` + Tune []TuneInitParameters `json:"tune,omitempty" tf:"tune,omitempty"` } @@ -60,6 +74,15 @@ type AuthBackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value for plugin identity tokens. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -72,6 +95,9 @@ type AuthBackendObservation struct { ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + // Service Account to impersonate for plugin workload identity federation. + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` + Tune []TuneObservation `json:"tune,omitempty" tf:"tune,omitempty"` } @@ -97,6 +123,18 @@ type AuthBackendParameters struct { // +kubebuilder:validation:Optional DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The audience claim value for plugin identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Specifies if the auth method is local only // +kubebuilder:validation:Optional Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -114,6 +152,10 @@ type AuthBackendParameters struct { // +kubebuilder:validation:Optional ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + // Service Account to impersonate for plugin workload identity federation. + // +kubebuilder:validation:Optional + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` + // +kubebuilder:validation:Optional Tune []TuneParameters `json:"tune,omitempty" tf:"tune,omitempty"` } @@ -234,9 +276,8 @@ type TuneParameters struct { type AuthBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -255,13 +296,14 @@ type AuthBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackend is the Schema for the AuthBackends API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackend struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/gcp/v1alpha1/zz_authbackendrole_terraformed.go b/apis/gcp/v1alpha1/zz_authbackendrole_terraformed.go new file mode 100755 index 00000000..970e72f3 --- /dev/null +++ b/apis/gcp/v1alpha1/zz_authbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole +func (mg *AuthBackendRole) GetTerraformResourceType() string { + return "vault_gcp_auth_backend_role" +} + +// GetConnectionDetailsMapping for this AuthBackendRole +func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendRole +func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendRole +func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendRole +func (tr *AuthBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendRole +func (tr *AuthBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/gcp/v1alpha1/zz_authbackendrole_types.go b/apis/gcp/v1alpha1/zz_authbackendrole_types.go index 66389863..43ba34d3 100755 --- a/apis/gcp/v1alpha1/zz_authbackendrole_types.go +++ b/apis/gcp/v1alpha1/zz_authbackendrole_types.go @@ -20,24 +20,40 @@ type AuthBackendRoleInitParameters struct { AllowGceInference *bool `json:"allowGceInference,omitempty" tf:"allow_gce_inference,omitempty"` // Path to the mounted GCP auth backend + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too. + // +listType=set BoundInstanceGroups []*string `json:"boundInstanceGroups,omitempty" tf:"bound_instance_groups,omitempty"` // A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions. + // +listType=set BoundLabels []*string `json:"boundLabels,omitempty" tf:"bound_labels,omitempty"` // An array of GCP project IDs. Only entities belonging to this project can authenticate under the role. + // +listType=set BoundProjects []*string `json:"boundProjects,omitempty" tf:"bound_projects,omitempty"` // The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored. + // +listType=set BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"` // GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam) + // +listType=set BoundServiceAccounts []*string `json:"boundServiceAccounts,omitempty" tf:"bound_service_accounts,omitempty"` // The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone. + // +listType=set BoundZones []*string `json:"boundZones,omitempty" tf:"bound_zones,omitempty"` // The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized. @@ -57,6 +73,7 @@ type AuthBackendRoleInitParameters struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -91,6 +108,7 @@ type AuthBackendRoleInitParameters struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -120,21 +138,27 @@ type AuthBackendRoleObservation struct { Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` // The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too. + // +listType=set BoundInstanceGroups []*string `json:"boundInstanceGroups,omitempty" tf:"bound_instance_groups,omitempty"` // A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions. + // +listType=set BoundLabels []*string `json:"boundLabels,omitempty" tf:"bound_labels,omitempty"` // An array of GCP project IDs. Only entities belonging to this project can authenticate under the role. + // +listType=set BoundProjects []*string `json:"boundProjects,omitempty" tf:"bound_projects,omitempty"` // The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored. + // +listType=set BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"` // GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam) + // +listType=set BoundServiceAccounts []*string `json:"boundServiceAccounts,omitempty" tf:"bound_service_accounts,omitempty"` // The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone. + // +listType=set BoundZones []*string `json:"boundZones,omitempty" tf:"bound_zones,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -156,6 +180,7 @@ type AuthBackendRoleObservation struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -190,6 +215,7 @@ type AuthBackendRoleObservation struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -219,31 +245,47 @@ type AuthBackendRoleParameters struct { AllowGceInference *bool `json:"allowGceInference,omitempty" tf:"allow_gce_inference,omitempty"` // Path to the mounted GCP auth backend + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too. // +kubebuilder:validation:Optional + // +listType=set BoundInstanceGroups []*string `json:"boundInstanceGroups,omitempty" tf:"bound_instance_groups,omitempty"` // A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions. // +kubebuilder:validation:Optional + // +listType=set BoundLabels []*string `json:"boundLabels,omitempty" tf:"bound_labels,omitempty"` // An array of GCP project IDs. Only entities belonging to this project can authenticate under the role. // +kubebuilder:validation:Optional + // +listType=set BoundProjects []*string `json:"boundProjects,omitempty" tf:"bound_projects,omitempty"` // The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored. // +kubebuilder:validation:Optional + // +listType=set BoundRegions []*string `json:"boundRegions,omitempty" tf:"bound_regions,omitempty"` // GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam) // +kubebuilder:validation:Optional + // +listType=set BoundServiceAccounts []*string `json:"boundServiceAccounts,omitempty" tf:"bound_service_accounts,omitempty"` // The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone. // +kubebuilder:validation:Optional + // +listType=set BoundZones []*string `json:"boundZones,omitempty" tf:"bound_zones,omitempty"` // The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized. @@ -267,6 +309,7 @@ type AuthBackendRoleParameters struct { // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -307,6 +350,7 @@ type AuthBackendRoleParameters struct { // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -333,9 +377,8 @@ type AuthBackendRoleParameters struct { type AuthBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -354,19 +397,20 @@ type AuthBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRole is the Schema for the AuthBackendRoles API. Managing roles in an GCP auth backend in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || (has(self.initProvider) && has(self.initProvider.role))",message="spec.forProvider.role is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || (has(self.initProvider) && has(self.initProvider.type))",message="spec.forProvider.type is a required parameter" Spec AuthBackendRoleSpec `json:"spec"` Status AuthBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/gcp/v1alpha1/zz_generated.conversion_hubs.go b/apis/gcp/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..4b7802c2 --- /dev/null +++ b/apis/gcp/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,25 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretImpersonatedAccount) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretRoleset) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretStaticAccount) Hub() {} diff --git a/apis/gcp/v1alpha1/zz_generated.deepcopy.go b/apis/gcp/v1alpha1/zz_generated.deepcopy.go index 0b0ed067..42fdb7e1 100644 --- a/apis/gcp/v1alpha1/zz_generated.deepcopy.go +++ b/apis/gcp/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -54,6 +53,11 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(string) **out = **in } + if in.CredentialsSecretRef != nil { + in, out := &in.CredentialsSecretRef, &out.CredentialsSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.CustomEndpoint != nil { in, out := &in.CustomEndpoint, &out.CustomEndpoint *out = make([]CustomEndpointInitParameters, len(*in)) @@ -71,6 +75,21 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(bool) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -96,6 +115,11 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } if in.Tune != nil { in, out := &in.Tune, &out.Tune *out = make([]TuneInitParameters, len(*in)) @@ -187,6 +211,21 @@ func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation) { *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -212,6 +251,11 @@ func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation) { *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } if in.Tune != nil { in, out := &in.Tune, &out.Tune *out = make([]TuneObservation, len(*in)) @@ -266,6 +310,21 @@ func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -291,6 +350,11 @@ func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters) { *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } if in.Tune != nil { in, out := &in.Tune, &out.Tune *out = make([]TuneParameters, len(*in)) @@ -355,6 +419,16 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BoundInstanceGroups != nil { in, out := &in.BoundInstanceGroups, &out.BoundInstanceGroups *out = make([]*string, len(*in)) @@ -738,6 +812,16 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BoundInstanceGroups != nil { in, out := &in.BoundInstanceGroups, &out.BoundInstanceGroups *out = make([]*string, len(*in)) @@ -1191,6 +1275,11 @@ func (in *SecretBackend) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParameters) { *out = *in + if in.CredentialsSecretRef != nil { + in, out := &in.CredentialsSecretRef, &out.CredentialsSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.DefaultLeaseTTLSeconds != nil { in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds *out = new(float64) @@ -1206,6 +1295,21 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(bool) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -1226,6 +1330,11 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters. @@ -1273,6 +1382,11 @@ func (in *SecretBackendList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) { *out = *in + if in.Accessor != nil { + in, out := &in.Accessor, &out.Accessor + *out = new(string) + **out = **in + } if in.DefaultLeaseTTLSeconds != nil { in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds *out = new(float64) @@ -1293,6 +1407,21 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -1313,6 +1442,11 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendObservation. @@ -1348,6 +1482,21 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -1368,6 +1517,11 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendParameters. @@ -1450,6 +1604,16 @@ func (in *SecretImpersonatedAccountInitParameters) DeepCopyInto(out *SecretImper *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.ImpersonatedAccount != nil { in, out := &in.ImpersonatedAccount, &out.ImpersonatedAccount *out = new(string) @@ -1584,6 +1748,16 @@ func (in *SecretImpersonatedAccountParameters) DeepCopyInto(out *SecretImpersona *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.ImpersonatedAccount != nil { in, out := &in.ImpersonatedAccount, &out.ImpersonatedAccount *out = new(string) @@ -1692,6 +1866,16 @@ func (in *SecretRolesetInitParameters) DeepCopyInto(out *SecretRolesetInitParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Binding != nil { in, out := &in.Binding, &out.Binding *out = make([]BindingInitParameters, len(*in)) @@ -1850,6 +2034,16 @@ func (in *SecretRolesetParameters) DeepCopyInto(out *SecretRolesetParameters) { *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Binding != nil { in, out := &in.Binding, &out.Binding *out = make([]BindingParameters, len(*in)) @@ -2063,6 +2257,16 @@ func (in *SecretStaticAccountInitParameters) DeepCopyInto(out *SecretStaticAccou *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Binding != nil { in, out := &in.Binding, &out.Binding *out = make([]SecretStaticAccountBindingInitParameters, len(*in)) @@ -2221,6 +2425,16 @@ func (in *SecretStaticAccountParameters) DeepCopyInto(out *SecretStaticAccountPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Binding != nil { in, out := &in.Binding, &out.Binding *out = make([]SecretStaticAccountBindingParameters, len(*in)) diff --git a/apis/gcp/v1alpha1/zz_generated.managed.go b/apis/gcp/v1alpha1/zz_generated.managed.go index f5036998..be5cfe91 100644 --- a/apis/gcp/v1alpha1/zz_generated.managed.go +++ b/apis/gcp/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackend. func (mg *AuthBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackend. func (mg *AuthBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *SecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *SecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -255,14 +207,6 @@ func (mg *SecretImpersonatedAccount) GetProviderConfigReference() *xpv1.Referenc return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretImpersonatedAccount. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretImpersonatedAccount) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretImpersonatedAccount. func (mg *SecretImpersonatedAccount) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -293,14 +237,6 @@ func (mg *SecretImpersonatedAccount) SetProviderConfigReference(r *xpv1.Referenc mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretImpersonatedAccount. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretImpersonatedAccount) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretImpersonatedAccount. func (mg *SecretImpersonatedAccount) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -331,14 +267,6 @@ func (mg *SecretRoleset) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretRoleset. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretRoleset) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretRoleset. func (mg *SecretRoleset) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -369,14 +297,6 @@ func (mg *SecretRoleset) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretRoleset. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretRoleset) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretRoleset. func (mg *SecretRoleset) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -407,14 +327,6 @@ func (mg *SecretStaticAccount) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretStaticAccount. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretStaticAccount) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretStaticAccount. func (mg *SecretStaticAccount) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -445,14 +357,6 @@ func (mg *SecretStaticAccount) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretStaticAccount. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretStaticAccount) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretStaticAccount. func (mg *SecretStaticAccount) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/gcp/v1alpha1/zz_generated.resolvers.go b/apis/gcp/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..d9fbe3d0 --- /dev/null +++ b/apis/gcp/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,183 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/auth/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this AuthBackendRole. +func (mg *AuthBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretImpersonatedAccount. +func (mg *SecretImpersonatedAccount) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretRoleset. +func (mg *SecretRoleset) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretStaticAccount. +func (mg *SecretStaticAccount) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/gcp/v1alpha1/zz_generated_terraformed.go b/apis/gcp/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index b215e2e3..00000000 --- a/apis/gcp/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,518 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this AuthBackend -func (mg *AuthBackend) GetTerraformResourceType() string { - return "vault_gcp_auth_backend" -} - -// GetConnectionDetailsMapping for this AuthBackend -func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"credentials": "spec.forProvider.credentialsSecretRef"} -} - -// GetObservation of this AuthBackend -func (tr *AuthBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackend -func (tr *AuthBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackend -func (tr *AuthBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackend -func (tr *AuthBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackend -func (tr *AuthBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackend -func (tr *AuthBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackend) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole -func (mg *AuthBackendRole) GetTerraformResourceType() string { - return "vault_gcp_auth_backend_role" -} - -// GetConnectionDetailsMapping for this AuthBackendRole -func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendRole -func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendRole -func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendRole -func (tr *AuthBackendRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendRole -func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendRole -func (tr *AuthBackendRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendRole -func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackend -func (mg *SecretBackend) GetTerraformResourceType() string { - return "vault_gcp_secret_backend" -} - -// GetConnectionDetailsMapping for this SecretBackend -func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"credentials": "spec.forProvider.credentialsSecretRef"} -} - -// GetObservation of this SecretBackend -func (tr *SecretBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackend -func (tr *SecretBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackend -func (tr *SecretBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackend -func (tr *SecretBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackend -func (tr *SecretBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackend -func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretImpersonatedAccount -func (mg *SecretImpersonatedAccount) GetTerraformResourceType() string { - return "vault_gcp_secret_impersonated_account" -} - -// GetConnectionDetailsMapping for this SecretImpersonatedAccount -func (tr *SecretImpersonatedAccount) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretImpersonatedAccount -func (tr *SecretImpersonatedAccount) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretImpersonatedAccount -func (tr *SecretImpersonatedAccount) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretImpersonatedAccount -func (tr *SecretImpersonatedAccount) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretImpersonatedAccount -func (tr *SecretImpersonatedAccount) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretImpersonatedAccount -func (tr *SecretImpersonatedAccount) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretImpersonatedAccount -func (tr *SecretImpersonatedAccount) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretImpersonatedAccount using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretImpersonatedAccount) LateInitialize(attrs []byte) (bool, error) { - params := &SecretImpersonatedAccountParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretImpersonatedAccount) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretRoleset -func (mg *SecretRoleset) GetTerraformResourceType() string { - return "vault_gcp_secret_roleset" -} - -// GetConnectionDetailsMapping for this SecretRoleset -func (tr *SecretRoleset) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretRoleset -func (tr *SecretRoleset) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretRoleset -func (tr *SecretRoleset) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretRoleset -func (tr *SecretRoleset) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretRoleset -func (tr *SecretRoleset) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretRoleset -func (tr *SecretRoleset) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretRoleset -func (tr *SecretRoleset) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretRoleset using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretRoleset) LateInitialize(attrs []byte) (bool, error) { - params := &SecretRolesetParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretRoleset) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretStaticAccount -func (mg *SecretStaticAccount) GetTerraformResourceType() string { - return "vault_gcp_secret_static_account" -} - -// GetConnectionDetailsMapping for this SecretStaticAccount -func (tr *SecretStaticAccount) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretStaticAccount -func (tr *SecretStaticAccount) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretStaticAccount -func (tr *SecretStaticAccount) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretStaticAccount -func (tr *SecretStaticAccount) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretStaticAccount -func (tr *SecretStaticAccount) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretStaticAccount -func (tr *SecretStaticAccount) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretStaticAccount -func (tr *SecretStaticAccount) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretStaticAccount using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretStaticAccount) LateInitialize(attrs []byte) (bool, error) { - params := &SecretStaticAccountParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretStaticAccount) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/gcp/v1alpha1/zz_secretbackend_terraformed.go b/apis/gcp/v1alpha1/zz_secretbackend_terraformed.go new file mode 100755 index 00000000..0e23a7d3 --- /dev/null +++ b/apis/gcp/v1alpha1/zz_secretbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackend +func (mg *SecretBackend) GetTerraformResourceType() string { + return "vault_gcp_secret_backend" +} + +// GetConnectionDetailsMapping for this SecretBackend +func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"credentials": "credentialsSecretRef"} +} + +// GetObservation of this SecretBackend +func (tr *SecretBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackend +func (tr *SecretBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackend +func (tr *SecretBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackend +func (tr *SecretBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackend +func (tr *SecretBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/gcp/v1alpha1/zz_secretbackend_types.go b/apis/gcp/v1alpha1/zz_secretbackend_types.go index 1ab20d79..a41eca5a 100755 --- a/apis/gcp/v1alpha1/zz_secretbackend_types.go +++ b/apis/gcp/v1alpha1/zz_secretbackend_types.go @@ -15,6 +15,10 @@ import ( type SecretBackendInitParameters struct { + // The GCP service account credentials in JSON format. + // JSON-encoded credentials to use to connect to GCP + CredentialsSecretRef *v1.SecretKeySelector `json:"credentialsSecretRef,omitempty" tf:"-"` + // The default TTL for credentials // issued by this backend. Defaults to '0'. // Default lease duration for secrets in seconds @@ -29,6 +33,23 @@ type SecretBackendInitParameters struct { // If set, opts out of mount migration on path updates. DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The audience claim value for plugin identity + // tokens. Must match an allowed audience configured for the target Workload Identity Pool. + // Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + // The audience claim value for plugin identity tokens. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing plugin identity + // tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. Defaults to + // 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise. + // The TTL of generated tokens. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -49,10 +70,19 @@ type SecretBackendInitParameters struct { // not begin or end with a /. Defaults to gcp. // Path to mount the backend at. Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // – Service Account to impersonate for plugin workload identity federation. + // Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. + // Service Account to impersonate for plugin workload identity federation. + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` } type SecretBackendObservation struct { + // The accessor of the created GCP mount. + // Accessor of the created GCP mount. + Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"` + // The default TTL for credentials // issued by this backend. Defaults to '0'. // Default lease duration for secrets in seconds @@ -69,6 +99,23 @@ type SecretBackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value for plugin identity + // tokens. Must match an allowed audience configured for the target Workload Identity Pool. + // Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + // The audience claim value for plugin identity tokens. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing plugin identity + // tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. Defaults to + // 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise. + // The TTL of generated tokens. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -89,6 +136,11 @@ type SecretBackendObservation struct { // not begin or end with a /. Defaults to gcp. // Path to mount the backend at. Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // – Service Account to impersonate for plugin workload identity federation. + // Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. + // Service Account to impersonate for plugin workload identity federation. + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` } type SecretBackendParameters struct { @@ -115,6 +167,26 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The audience claim value for plugin identity + // tokens. Must match an allowed audience configured for the target Workload Identity Pool. + // Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + // The audience claim value for plugin identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing plugin identity + // tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + // The key to use for signing identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. Defaults to + // 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise. + // The TTL of generated tokens. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment // +kubebuilder:validation:Optional @@ -139,15 +211,20 @@ type SecretBackendParameters struct { // Path to mount the backend at. // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // – Service Account to impersonate for plugin workload identity federation. + // Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. + // Service Account to impersonate for plugin workload identity federation. + // +kubebuilder:validation:Optional + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` } // SecretBackendSpec defines the desired state of SecretBackend type SecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -166,13 +243,14 @@ type SecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackend is the Schema for the SecretBackends API. Creates an GCP secret backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackend struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_terraformed.go b/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_terraformed.go new file mode 100755 index 00000000..a9b9607a --- /dev/null +++ b/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretImpersonatedAccount +func (mg *SecretImpersonatedAccount) GetTerraformResourceType() string { + return "vault_gcp_secret_impersonated_account" +} + +// GetConnectionDetailsMapping for this SecretImpersonatedAccount +func (tr *SecretImpersonatedAccount) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretImpersonatedAccount +func (tr *SecretImpersonatedAccount) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretImpersonatedAccount +func (tr *SecretImpersonatedAccount) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretImpersonatedAccount +func (tr *SecretImpersonatedAccount) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretImpersonatedAccount +func (tr *SecretImpersonatedAccount) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretImpersonatedAccount +func (tr *SecretImpersonatedAccount) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretImpersonatedAccount +func (tr *SecretImpersonatedAccount) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretImpersonatedAccount +func (tr *SecretImpersonatedAccount) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretImpersonatedAccount using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretImpersonatedAccount) LateInitialize(attrs []byte) (bool, error) { + params := &SecretImpersonatedAccountParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretImpersonatedAccount) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_types.go b/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_types.go index 7cac3ba1..96188b37 100755 --- a/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_types.go +++ b/apis/gcp/v1alpha1/zz_secretimpersonatedaccount_types.go @@ -17,8 +17,18 @@ type SecretImpersonatedAccountInitParameters struct { // Path where the GCP Secrets Engine is mounted // Path where the GCP secrets engine is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/gcp/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Name of the Impersonated Account to create // Name of the Impersonated Account to create ImpersonatedAccount *string `json:"impersonatedAccount,omitempty" tf:"impersonated_account,omitempty"` @@ -32,6 +42,7 @@ type SecretImpersonatedAccountInitParameters struct { // List of OAuth scopes to assign to access tokens generated under this impersonated account. // List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) + // +listType=set TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"` } @@ -60,6 +71,7 @@ type SecretImpersonatedAccountObservation struct { // List of OAuth scopes to assign to access tokens generated under this impersonated account. // List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) + // +listType=set TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"` } @@ -67,9 +79,19 @@ type SecretImpersonatedAccountParameters struct { // Path where the GCP Secrets Engine is mounted // Path where the GCP secrets engine is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/gcp/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Name of the Impersonated Account to create // Name of the Impersonated Account to create // +kubebuilder:validation:Optional @@ -87,6 +109,7 @@ type SecretImpersonatedAccountParameters struct { // List of OAuth scopes to assign to access tokens generated under this impersonated account. // List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) // +kubebuilder:validation:Optional + // +listType=set TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"` } @@ -94,9 +117,8 @@ type SecretImpersonatedAccountParameters struct { type SecretImpersonatedAccountSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretImpersonatedAccountParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -115,20 +137,20 @@ type SecretImpersonatedAccountStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretImpersonatedAccount is the Schema for the SecretImpersonatedAccounts API. Creates a Impersonated Account for the GCP Secret Backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretImpersonatedAccount struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.impersonatedAccount) || has(self.initProvider.impersonatedAccount)",message="impersonatedAccount is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.serviceAccountEmail) || has(self.initProvider.serviceAccountEmail)",message="serviceAccountEmail is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.impersonatedAccount) || (has(self.initProvider) && has(self.initProvider.impersonatedAccount))",message="spec.forProvider.impersonatedAccount is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.serviceAccountEmail) || (has(self.initProvider) && has(self.initProvider.serviceAccountEmail))",message="spec.forProvider.serviceAccountEmail is a required parameter" Spec SecretImpersonatedAccountSpec `json:"spec"` Status SecretImpersonatedAccountStatus `json:"status,omitempty"` } diff --git a/apis/gcp/v1alpha1/zz_secretroleset_terraformed.go b/apis/gcp/v1alpha1/zz_secretroleset_terraformed.go new file mode 100755 index 00000000..8f8e7f3c --- /dev/null +++ b/apis/gcp/v1alpha1/zz_secretroleset_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretRoleset +func (mg *SecretRoleset) GetTerraformResourceType() string { + return "vault_gcp_secret_roleset" +} + +// GetConnectionDetailsMapping for this SecretRoleset +func (tr *SecretRoleset) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretRoleset +func (tr *SecretRoleset) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretRoleset +func (tr *SecretRoleset) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretRoleset +func (tr *SecretRoleset) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretRoleset +func (tr *SecretRoleset) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretRoleset +func (tr *SecretRoleset) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretRoleset +func (tr *SecretRoleset) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretRoleset +func (tr *SecretRoleset) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretRoleset using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretRoleset) LateInitialize(attrs []byte) (bool, error) { + params := &SecretRolesetParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretRoleset) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/gcp/v1alpha1/zz_secretroleset_types.go b/apis/gcp/v1alpha1/zz_secretroleset_types.go index 531a8a91..426be0e3 100755 --- a/apis/gcp/v1alpha1/zz_secretroleset_types.go +++ b/apis/gcp/v1alpha1/zz_secretroleset_types.go @@ -21,6 +21,7 @@ type BindingInitParameters struct { // List of GCP IAM roles for the resource. // List of roles to apply to the resource + // +listType=set Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` } @@ -32,6 +33,7 @@ type BindingObservation struct { // List of GCP IAM roles for the resource. // List of roles to apply to the resource + // +listType=set Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` } @@ -40,20 +42,31 @@ type BindingParameters struct { // Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. // Resource name // +kubebuilder:validation:Optional - Resource *string `json:"resource,omitempty" tf:"resource,omitempty"` + Resource *string `json:"resource" tf:"resource,omitempty"` // List of GCP IAM roles for the resource. // List of roles to apply to the resource // +kubebuilder:validation:Optional - Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` + // +listType=set + Roles []*string `json:"roles" tf:"roles,omitempty"` } type SecretRolesetInitParameters struct { // Path where the GCP Secrets Engine is mounted // Path where the GCP secrets engine is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/gcp/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below. Binding []BindingInitParameters `json:"binding,omitempty" tf:"binding,omitempty"` @@ -78,6 +91,7 @@ type SecretRolesetInitParameters struct { // List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only). // List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) + // +listType=set TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"` } @@ -117,6 +131,7 @@ type SecretRolesetObservation struct { // List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only). // List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) + // +listType=set TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"` } @@ -124,9 +139,19 @@ type SecretRolesetParameters struct { // Path where the GCP Secrets Engine is mounted // Path where the GCP secrets engine is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/gcp/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below. // +kubebuilder:validation:Optional Binding []BindingParameters `json:"binding,omitempty" tf:"binding,omitempty"` @@ -157,6 +182,7 @@ type SecretRolesetParameters struct { // List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only). // List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) // +kubebuilder:validation:Optional + // +listType=set TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"` } @@ -164,9 +190,8 @@ type SecretRolesetParameters struct { type SecretRolesetSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretRolesetParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -185,21 +210,21 @@ type SecretRolesetStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretRoleset is the Schema for the SecretRolesets API. Creates a Roleset for the GCP Secret Backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretRoleset struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.binding) || has(self.initProvider.binding)",message="binding is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.project) || has(self.initProvider.project)",message="project is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleset) || has(self.initProvider.roleset)",message="roleset is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.binding) || (has(self.initProvider) && has(self.initProvider.binding))",message="spec.forProvider.binding is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.project) || (has(self.initProvider) && has(self.initProvider.project))",message="spec.forProvider.project is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleset) || (has(self.initProvider) && has(self.initProvider.roleset))",message="spec.forProvider.roleset is a required parameter" Spec SecretRolesetSpec `json:"spec"` Status SecretRolesetStatus `json:"status,omitempty"` } diff --git a/apis/gcp/v1alpha1/zz_secretstaticaccount_terraformed.go b/apis/gcp/v1alpha1/zz_secretstaticaccount_terraformed.go new file mode 100755 index 00000000..b8635a89 --- /dev/null +++ b/apis/gcp/v1alpha1/zz_secretstaticaccount_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretStaticAccount +func (mg *SecretStaticAccount) GetTerraformResourceType() string { + return "vault_gcp_secret_static_account" +} + +// GetConnectionDetailsMapping for this SecretStaticAccount +func (tr *SecretStaticAccount) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretStaticAccount +func (tr *SecretStaticAccount) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretStaticAccount +func (tr *SecretStaticAccount) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretStaticAccount +func (tr *SecretStaticAccount) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretStaticAccount +func (tr *SecretStaticAccount) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretStaticAccount +func (tr *SecretStaticAccount) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretStaticAccount +func (tr *SecretStaticAccount) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretStaticAccount +func (tr *SecretStaticAccount) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretStaticAccount using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretStaticAccount) LateInitialize(attrs []byte) (bool, error) { + params := &SecretStaticAccountParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretStaticAccount) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/gcp/v1alpha1/zz_secretstaticaccount_types.go b/apis/gcp/v1alpha1/zz_secretstaticaccount_types.go index 132d2837..5d2092d0 100755 --- a/apis/gcp/v1alpha1/zz_secretstaticaccount_types.go +++ b/apis/gcp/v1alpha1/zz_secretstaticaccount_types.go @@ -21,6 +21,7 @@ type SecretStaticAccountBindingInitParameters struct { // List of GCP IAM roles for the resource. // List of roles to apply to the resource + // +listType=set Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` } @@ -32,6 +33,7 @@ type SecretStaticAccountBindingObservation struct { // List of GCP IAM roles for the resource. // List of roles to apply to the resource + // +listType=set Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` } @@ -40,20 +42,31 @@ type SecretStaticAccountBindingParameters struct { // Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. // Resource name // +kubebuilder:validation:Optional - Resource *string `json:"resource,omitempty" tf:"resource,omitempty"` + Resource *string `json:"resource" tf:"resource,omitempty"` // List of GCP IAM roles for the resource. // List of roles to apply to the resource // +kubebuilder:validation:Optional - Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` + // +listType=set + Roles []*string `json:"roles" tf:"roles,omitempty"` } type SecretStaticAccountInitParameters struct { // Path where the GCP Secrets Engine is mounted // Path where the GCP secrets engine is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/gcp/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below. Binding []SecretStaticAccountBindingInitParameters `json:"binding,omitempty" tf:"binding,omitempty"` @@ -78,6 +91,7 @@ type SecretStaticAccountInitParameters struct { // List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only). // List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) + // +listType=set TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"` } @@ -117,6 +131,7 @@ type SecretStaticAccountObservation struct { // List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only). // List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) + // +listType=set TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"` } @@ -124,9 +139,19 @@ type SecretStaticAccountParameters struct { // Path where the GCP Secrets Engine is mounted // Path where the GCP secrets engine is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/gcp/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in gcp to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below. // +kubebuilder:validation:Optional Binding []SecretStaticAccountBindingParameters `json:"binding,omitempty" tf:"binding,omitempty"` @@ -157,6 +182,7 @@ type SecretStaticAccountParameters struct { // List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only). // List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) // +kubebuilder:validation:Optional + // +listType=set TokenScopes []*string `json:"tokenScopes,omitempty" tf:"token_scopes,omitempty"` } @@ -164,9 +190,8 @@ type SecretStaticAccountParameters struct { type SecretStaticAccountSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretStaticAccountParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -185,20 +210,20 @@ type SecretStaticAccountStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretStaticAccount is the Schema for the SecretStaticAccounts API. Creates a Static Account for the GCP Secret Backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretStaticAccount struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.serviceAccountEmail) || has(self.initProvider.serviceAccountEmail)",message="serviceAccountEmail is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.staticAccount) || has(self.initProvider.staticAccount)",message="staticAccount is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.serviceAccountEmail) || (has(self.initProvider) && has(self.initProvider.serviceAccountEmail))",message="spec.forProvider.serviceAccountEmail is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.staticAccount) || (has(self.initProvider) && has(self.initProvider.staticAccount))",message="spec.forProvider.staticAccount is a required parameter" Spec SecretStaticAccountSpec `json:"spec"` Status SecretStaticAccountStatus `json:"status,omitempty"` } diff --git a/apis/generate.go b/apis/generate.go index 00d88e4b..2bccad02 100644 --- a/apis/generate.go +++ b/apis/generate.go @@ -21,7 +21,7 @@ Copyright 2021 Upbound Inc. //go:generate bash -c "find ../cmd/provider -type d -maxdepth 1 -mindepth 1 -empty -delete" // Generate documentation from Terraform docs. -//go:generate go run github.com/upbound/upjet/cmd/scraper -n ${TERRAFORM_PROVIDER_SOURCE} -r ../.work/${TERRAFORM_PROVIDER_SOURCE}/${TERRAFORM_DOCS_PATH} -o ../config/provider-metadata.yaml +//go:generate go run github.com/crossplane/upjet/cmd/scraper -n ${TERRAFORM_PROVIDER_SOURCE} -r ../.work/${TERRAFORM_PROVIDER_SOURCE}/${TERRAFORM_DOCS_PATH} -o ../config/provider-metadata.yaml // Run Upjet generator //go:generate go run ../cmd/generator/main.go .. @@ -39,5 +39,5 @@ import ( _ "github.com/crossplane/crossplane-tools/cmd/angryjet" //nolint:typecheck - _ "github.com/upbound/upjet/cmd/scraper" + _ "github.com/crossplane/upjet/cmd/scraper" ) diff --git a/apis/generic/v1alpha1/zz_endpoint_terraformed.go b/apis/generic/v1alpha1/zz_endpoint_terraformed.go new file mode 100755 index 00000000..36f31ddd --- /dev/null +++ b/apis/generic/v1alpha1/zz_endpoint_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Endpoint +func (mg *Endpoint) GetTerraformResourceType() string { + return "vault_generic_endpoint" +} + +// GetConnectionDetailsMapping for this Endpoint +func (tr *Endpoint) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"data_json": "dataJsonSecretRef"} +} + +// GetObservation of this Endpoint +func (tr *Endpoint) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Endpoint +func (tr *Endpoint) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Endpoint +func (tr *Endpoint) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Endpoint +func (tr *Endpoint) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Endpoint +func (tr *Endpoint) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Endpoint +func (tr *Endpoint) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Endpoint +func (tr *Endpoint) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Endpoint using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Endpoint) LateInitialize(attrs []byte) (bool, error) { + params := &EndpointParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Endpoint) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/generic/v1alpha1/zz_endpoint_types.go b/apis/generic/v1alpha1/zz_endpoint_types.go index 748f64b3..45993b12 100755 --- a/apis/generic/v1alpha1/zz_endpoint_types.go +++ b/apis/generic/v1alpha1/zz_endpoint_types.go @@ -15,6 +15,11 @@ import ( type EndpointInitParameters struct { + // String containing a JSON-encoded object that will be + // written to the given path as the secret data. + // JSON-encoded data to write. + DataJSONSecretRef v1.SecretKeySelector `json:"dataJsonSecretRef" tf:"-"` + // True/false. Set this to true if your // vault authentication is not able to delete the data or if the endpoint // does not support the DELETE method. Defaults to false. @@ -112,6 +117,7 @@ type EndpointObservation struct { // any non-string values returned from Vault are serialized as JSON. // Only fields set in write_fields are present in the JSON data. // Map of strings returned by write operation + // +mapType=granular WriteData map[string]*string `json:"writeData,omitempty" tf:"write_data,omitempty"` // The JSON data returned by the write operation. @@ -197,9 +203,8 @@ type EndpointParameters struct { type EndpointSpec struct { v1.ResourceSpec `json:",inline"` ForProvider EndpointParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -218,19 +223,20 @@ type EndpointStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Endpoint is the Schema for the Endpoints API. Writes arbitrary data to a given path in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Endpoint struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="spec.forProvider.dataJsonSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || (has(self.initProvider) && has(self.initProvider.path))",message="spec.forProvider.path is a required parameter" Spec EndpointSpec `json:"spec"` Status EndpointStatus `json:"status,omitempty"` } diff --git a/apis/generic/v1alpha1/zz_generated.conversion_hubs.go b/apis/generic/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..1215d166 --- /dev/null +++ b/apis/generic/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,13 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Endpoint) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Secret) Hub() {} diff --git a/apis/generic/v1alpha1/zz_generated.deepcopy.go b/apis/generic/v1alpha1/zz_generated.deepcopy.go index 4121291d..e79bf41c 100644 --- a/apis/generic/v1alpha1/zz_generated.deepcopy.go +++ b/apis/generic/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -43,6 +42,7 @@ func (in *Endpoint) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EndpointInitParameters) DeepCopyInto(out *EndpointInitParameters) { *out = *in + out.DataJSONSecretRef = in.DataJSONSecretRef if in.DisableDelete != nil { in, out := &in.DisableDelete, &out.DisableDelete *out = new(bool) @@ -164,7 +164,8 @@ func (in *EndpointObservation) DeepCopyInto(out *EndpointObservation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -316,6 +317,7 @@ func (in *Secret) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretInitParameters) DeepCopyInto(out *SecretInitParameters) { *out = *in + out.DataJSONSecretRef = in.DataJSONSecretRef if in.DeleteAllVersions != nil { in, out := &in.DeleteAllVersions, &out.DeleteAllVersions *out = new(bool) diff --git a/apis/generic/v1alpha1/zz_generated.managed.go b/apis/generic/v1alpha1/zz_generated.managed.go index 8a98897d..a3a2873c 100644 --- a/apis/generic/v1alpha1/zz_generated.managed.go +++ b/apis/generic/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Endpoint) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Endpoint. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Endpoint) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Endpoint. func (mg *Endpoint) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Endpoint) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Endpoint. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Endpoint) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Endpoint. func (mg *Endpoint) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *Secret) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Secret. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Secret) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Secret. func (mg *Secret) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *Secret) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Secret. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Secret) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Secret. func (mg *Secret) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/generic/v1alpha1/zz_generated_terraformed.go b/apis/generic/v1alpha1/zz_secret_terraformed.go similarity index 50% rename from apis/generic/v1alpha1/zz_generated_terraformed.go rename to apis/generic/v1alpha1/zz_secret_terraformed.go index 6cad01ac..f0660bd7 100755 --- a/apis/generic/v1alpha1/zz_generated_terraformed.go +++ b/apis/generic/v1alpha1/zz_secret_terraformed.go @@ -7,96 +7,13 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) -// GetTerraformResourceType returns Terraform resource type for this Endpoint -func (mg *Endpoint) GetTerraformResourceType() string { - return "vault_generic_endpoint" -} - -// GetConnectionDetailsMapping for this Endpoint -func (tr *Endpoint) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"data_json": "spec.forProvider.dataJsonSecretRef"} -} - -// GetObservation of this Endpoint -func (tr *Endpoint) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Endpoint -func (tr *Endpoint) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Endpoint -func (tr *Endpoint) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Endpoint -func (tr *Endpoint) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Endpoint -func (tr *Endpoint) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Endpoint -func (tr *Endpoint) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Endpoint using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Endpoint) LateInitialize(attrs []byte) (bool, error) { - params := &EndpointParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Endpoint) GetTerraformSchemaVersion() int { - return 1 -} - // GetTerraformResourceType returns Terraform resource type for this Secret func (mg *Secret) GetTerraformResourceType() string { return "vault_generic_secret" @@ -104,7 +21,7 @@ func (mg *Secret) GetTerraformResourceType() string { // GetConnectionDetailsMapping for this Secret func (tr *Secret) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"data": "status.atProvider.data", "data_json": "spec.forProvider.dataJsonSecretRef"} + return map[string]string{"data": "status.atProvider.data", "data_json": "dataJsonSecretRef"} } // GetObservation of this Secret @@ -163,6 +80,36 @@ func (tr *Secret) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this Secret +func (tr *Secret) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this Secret using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *Secret) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/generic/v1alpha1/zz_secret_types.go b/apis/generic/v1alpha1/zz_secret_types.go index 70ca47b6..e238fc51 100755 --- a/apis/generic/v1alpha1/zz_secret_types.go +++ b/apis/generic/v1alpha1/zz_secret_types.go @@ -15,6 +15,11 @@ import ( type SecretInitParameters struct { + // String containing a JSON-encoded object that will be + // written as the secret data at the given path. + // JSON-encoded secret data to write. + DataJSONSecretRef v1.SecretKeySelector `json:"dataJsonSecretRef" tf:"-"` + // true/false. Only applicable for kv-v2 stores. // If set to true, permanently deletes all versions for // the specified key. The default behavior is to only delete the latest version of the @@ -122,9 +127,8 @@ type SecretParameters struct { type SecretSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -143,19 +147,20 @@ type SecretStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Secret is the Schema for the Secrets API. Writes arbitrary data to a given path in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Secret struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="spec.forProvider.dataJsonSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || (has(self.initProvider) && has(self.initProvider.path))",message="spec.forProvider.path is a required parameter" Spec SecretSpec `json:"spec"` Status SecretStatus `json:"status,omitempty"` } diff --git a/apis/github/v1alpha1/zz_authbackend_terraformed.go b/apis/github/v1alpha1/zz_authbackend_terraformed.go new file mode 100755 index 00000000..f331fc42 --- /dev/null +++ b/apis/github/v1alpha1/zz_authbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackend +func (mg *AuthBackend) GetTerraformResourceType() string { + return "vault_github_auth_backend" +} + +// GetConnectionDetailsMapping for this AuthBackend +func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackend +func (tr *AuthBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackend +func (tr *AuthBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackend +func (tr *AuthBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackend +func (tr *AuthBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackend +func (tr *AuthBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackend +func (tr *AuthBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackend +func (tr *AuthBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/github/v1alpha1/zz_authbackend_types.go b/apis/github/v1alpha1/zz_authbackend_types.go index 223c3849..1e400814 100755 --- a/apis/github/v1alpha1/zz_authbackend_types.go +++ b/apis/github/v1alpha1/zz_authbackend_types.go @@ -55,6 +55,7 @@ type AuthBackendInitParameters struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -89,6 +90,7 @@ type AuthBackendInitParameters struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -156,6 +158,7 @@ type AuthBackendObservation struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -190,6 +193,7 @@ type AuthBackendObservation struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -259,6 +263,7 @@ type AuthBackendParameters struct { // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -299,6 +304,7 @@ type AuthBackendParameters struct { // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -444,9 +450,8 @@ type TuneParameters struct { type AuthBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -465,18 +470,19 @@ type AuthBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackend is the Schema for the AuthBackends API. Manages GitHub Auth mounts in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.organization) || has(self.initProvider.organization)",message="organization is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.organization) || (has(self.initProvider) && has(self.initProvider.organization))",message="spec.forProvider.organization is a required parameter" Spec AuthBackendSpec `json:"spec"` Status AuthBackendStatus `json:"status,omitempty"` } diff --git a/apis/github/v1alpha1/zz_generated.conversion_hubs.go b/apis/github/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..c94f25d9 --- /dev/null +++ b/apis/github/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,16 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Team) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *User) Hub() {} diff --git a/apis/github/v1alpha1/zz_generated.deepcopy.go b/apis/github/v1alpha1/zz_generated.deepcopy.go index 49d66b3b..5d9972ba 100644 --- a/apis/github/v1alpha1/zz_generated.deepcopy.go +++ b/apis/github/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -494,6 +494,16 @@ func (in *TeamInitParameters) DeepCopyInto(out *TeamInitParameters) { *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -613,6 +623,16 @@ func (in *TeamParameters) DeepCopyInto(out *TeamParameters) { *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -953,6 +973,16 @@ func (in *UserInitParameters) DeepCopyInto(out *UserInitParameters) { *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -1072,6 +1102,16 @@ func (in *UserParameters) DeepCopyInto(out *UserParameters) { *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) diff --git a/apis/github/v1alpha1/zz_generated.managed.go b/apis/github/v1alpha1/zz_generated.managed.go index 611d2586..88f24c58 100644 --- a/apis/github/v1alpha1/zz_generated.managed.go +++ b/apis/github/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackend. func (mg *AuthBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackend. func (mg *AuthBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *Team) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Team. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Team) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Team. func (mg *Team) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *Team) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Team. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Team) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Team. func (mg *Team) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *User) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this User. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *User) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this User. func (mg *User) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *User) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this User. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *User) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this User. func (mg *User) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/github/v1alpha1/zz_generated.resolvers.go b/apis/github/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..e383b6e9 --- /dev/null +++ b/apis/github/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,98 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this Team. +func (mg *Team) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &AuthBackendList{}, + Managed: &AuthBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &AuthBackendList{}, + Managed: &AuthBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this User. +func (mg *User) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &AuthBackendList{}, + Managed: &AuthBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &AuthBackendList{}, + Managed: &AuthBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/github/v1alpha1/zz_generated_terraformed.go b/apis/github/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index 18db98b6..00000000 --- a/apis/github/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,266 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this AuthBackend -func (mg *AuthBackend) GetTerraformResourceType() string { - return "vault_github_auth_backend" -} - -// GetConnectionDetailsMapping for this AuthBackend -func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackend -func (tr *AuthBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackend -func (tr *AuthBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackend -func (tr *AuthBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackend -func (tr *AuthBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackend -func (tr *AuthBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackend -func (tr *AuthBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackend) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this Team -func (mg *Team) GetTerraformResourceType() string { - return "vault_github_team" -} - -// GetConnectionDetailsMapping for this Team -func (tr *Team) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Team -func (tr *Team) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Team -func (tr *Team) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Team -func (tr *Team) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Team -func (tr *Team) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Team -func (tr *Team) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Team -func (tr *Team) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Team using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Team) LateInitialize(attrs []byte) (bool, error) { - params := &TeamParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Team) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this User -func (mg *User) GetTerraformResourceType() string { - return "vault_github_user" -} - -// GetConnectionDetailsMapping for this User -func (tr *User) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this User -func (tr *User) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this User -func (tr *User) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this User -func (tr *User) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this User -func (tr *User) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this User -func (tr *User) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this User -func (tr *User) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this User using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *User) LateInitialize(attrs []byte) (bool, error) { - params := &UserParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *User) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/github/v1alpha1/zz_team_terraformed.go b/apis/github/v1alpha1/zz_team_terraformed.go new file mode 100755 index 00000000..14c5c833 --- /dev/null +++ b/apis/github/v1alpha1/zz_team_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Team +func (mg *Team) GetTerraformResourceType() string { + return "vault_github_team" +} + +// GetConnectionDetailsMapping for this Team +func (tr *Team) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Team +func (tr *Team) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Team +func (tr *Team) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Team +func (tr *Team) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Team +func (tr *Team) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Team +func (tr *Team) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Team +func (tr *Team) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Team +func (tr *Team) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Team using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Team) LateInitialize(attrs []byte) (bool, error) { + params := &TeamParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Team) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/github/v1alpha1/zz_team_types.go b/apis/github/v1alpha1/zz_team_types.go index 0de79941..6f8cb2f4 100755 --- a/apis/github/v1alpha1/zz_team_types.go +++ b/apis/github/v1alpha1/zz_team_types.go @@ -18,8 +18,18 @@ type TeamInitParameters struct { // Path where the github auth backend is mounted. Defaults to github // if not specified. // Auth backend to which team mapping will be configured. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/github/v1alpha1.AuthBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a AuthBackend in github to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a AuthBackend in github to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -66,9 +76,19 @@ type TeamParameters struct { // Path where the github auth backend is mounted. Defaults to github // if not specified. // Auth backend to which team mapping will be configured. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/github/v1alpha1.AuthBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a AuthBackend in github to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a AuthBackend in github to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -92,9 +112,8 @@ type TeamParameters struct { type TeamSpec struct { v1.ResourceSpec `json:",inline"` ForProvider TeamParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -113,18 +132,19 @@ type TeamStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Team is the Schema for the Teams API. Manages Team mappings for Github Auth backend mounts in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Team struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.team) || has(self.initProvider.team)",message="team is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.team) || (has(self.initProvider) && has(self.initProvider.team))",message="spec.forProvider.team is a required parameter" Spec TeamSpec `json:"spec"` Status TeamStatus `json:"status,omitempty"` } diff --git a/apis/github/v1alpha1/zz_user_terraformed.go b/apis/github/v1alpha1/zz_user_terraformed.go new file mode 100755 index 00000000..ff85d693 --- /dev/null +++ b/apis/github/v1alpha1/zz_user_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this User +func (mg *User) GetTerraformResourceType() string { + return "vault_github_user" +} + +// GetConnectionDetailsMapping for this User +func (tr *User) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this User +func (tr *User) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this User +func (tr *User) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this User +func (tr *User) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this User +func (tr *User) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this User +func (tr *User) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this User +func (tr *User) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this User +func (tr *User) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this User using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *User) LateInitialize(attrs []byte) (bool, error) { + params := &UserParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *User) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/github/v1alpha1/zz_user_types.go b/apis/github/v1alpha1/zz_user_types.go index bd9a58ba..188ab6ec 100755 --- a/apis/github/v1alpha1/zz_user_types.go +++ b/apis/github/v1alpha1/zz_user_types.go @@ -18,8 +18,18 @@ type UserInitParameters struct { // Path where the github auth backend is mounted. Defaults to github // if not specified. // Auth backend to which user mapping will be congigured. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/github/v1alpha1.AuthBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a AuthBackend in github to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a AuthBackend in github to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -68,9 +78,19 @@ type UserParameters struct { // Path where the github auth backend is mounted. Defaults to github // if not specified. // Auth backend to which user mapping will be congigured. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/github/v1alpha1.AuthBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a AuthBackend in github to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a AuthBackend in github to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -95,9 +115,8 @@ type UserParameters struct { type UserSpec struct { v1.ResourceSpec `json:",inline"` ForProvider UserParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -116,18 +135,19 @@ type UserStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // User is the Schema for the Users API. Manages User mappings for Github Auth backend mounts in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type User struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.user) || has(self.initProvider.user)",message="user is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.user) || (has(self.initProvider) && has(self.initProvider.user))",message="spec.forProvider.user is a required parameter" Spec UserSpec `json:"spec"` Status UserStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_entity_terraformed.go b/apis/identity/v1alpha1/zz_entity_terraformed.go new file mode 100755 index 00000000..7b43c81c --- /dev/null +++ b/apis/identity/v1alpha1/zz_entity_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Entity +func (mg *Entity) GetTerraformResourceType() string { + return "vault_identity_entity" +} + +// GetConnectionDetailsMapping for this Entity +func (tr *Entity) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Entity +func (tr *Entity) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Entity +func (tr *Entity) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Entity +func (tr *Entity) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Entity +func (tr *Entity) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Entity +func (tr *Entity) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Entity +func (tr *Entity) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Entity +func (tr *Entity) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Entity using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Entity) LateInitialize(attrs []byte) (bool, error) { + params := &EntityParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Entity) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_entity_types.go b/apis/identity/v1alpha1/zz_entity_types.go index 4b05d2a9..a87387a3 100755 --- a/apis/identity/v1alpha1/zz_entity_types.go +++ b/apis/identity/v1alpha1/zz_entity_types.go @@ -25,6 +25,7 @@ type EntityInitParameters struct { // A Map of additional metadata to associate with the user. // Metadata to be associated with the entity. + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // Name of the identity entity to create. @@ -40,6 +41,7 @@ type EntityInitParameters struct { // A list of policies to apply to the entity. // Policies to be tied to the entity. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -58,6 +60,7 @@ type EntityObservation struct { // A Map of additional metadata to associate with the user. // Metadata to be associated with the entity. + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // Name of the identity entity to create. @@ -73,6 +76,7 @@ type EntityObservation struct { // A list of policies to apply to the entity. // Policies to be tied to the entity. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -91,6 +95,7 @@ type EntityParameters struct { // A Map of additional metadata to associate with the user. // Metadata to be associated with the entity. // +kubebuilder:validation:Optional + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // Name of the identity entity to create. @@ -109,6 +114,7 @@ type EntityParameters struct { // A list of policies to apply to the entity. // Policies to be tied to the entity. // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -116,9 +122,8 @@ type EntityParameters struct { type EntitySpec struct { v1.ResourceSpec `json:",inline"` ForProvider EntityParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -137,13 +142,14 @@ type EntityStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Entity is the Schema for the Entitys API. Creates an Identity Entity for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Entity struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/identity/v1alpha1/zz_entityalias_terraformed.go b/apis/identity/v1alpha1/zz_entityalias_terraformed.go new file mode 100755 index 00000000..18684733 --- /dev/null +++ b/apis/identity/v1alpha1/zz_entityalias_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this EntityAlias +func (mg *EntityAlias) GetTerraformResourceType() string { + return "vault_identity_entity_alias" +} + +// GetConnectionDetailsMapping for this EntityAlias +func (tr *EntityAlias) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this EntityAlias +func (tr *EntityAlias) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this EntityAlias +func (tr *EntityAlias) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this EntityAlias +func (tr *EntityAlias) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this EntityAlias +func (tr *EntityAlias) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this EntityAlias +func (tr *EntityAlias) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this EntityAlias +func (tr *EntityAlias) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this EntityAlias +func (tr *EntityAlias) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this EntityAlias using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *EntityAlias) LateInitialize(attrs []byte) (bool, error) { + params := &EntityAliasParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *EntityAlias) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_entityalias_types.go b/apis/identity/v1alpha1/zz_entityalias_types.go index e4f14a5d..01429a83 100755 --- a/apis/identity/v1alpha1/zz_entityalias_types.go +++ b/apis/identity/v1alpha1/zz_entityalias_types.go @@ -20,6 +20,7 @@ type EntityAliasInitParameters struct { CanonicalID *string `json:"canonicalId,omitempty" tf:"canonical_id,omitempty"` // Custom metadata to be associated with this alias. + // +mapType=granular CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"` // Accessor of the mount to which the alias should belong to. @@ -45,6 +46,7 @@ type EntityAliasObservation struct { CanonicalID *string `json:"canonicalId,omitempty" tf:"canonical_id,omitempty"` // Custom metadata to be associated with this alias. + // +mapType=granular CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"` // ID of the entity alias. @@ -75,6 +77,7 @@ type EntityAliasParameters struct { // Custom metadata to be associated with this alias. // +kubebuilder:validation:Optional + // +mapType=granular CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"` // Accessor of the mount to which the alias should belong to. @@ -100,9 +103,8 @@ type EntityAliasParameters struct { type EntityAliasSpec struct { v1.ResourceSpec `json:",inline"` ForProvider EntityAliasParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -121,20 +123,21 @@ type EntityAliasStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // EntityAlias is the Schema for the EntityAliass API. Creates an Identity Entity Alias for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type EntityAlias struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.canonicalId) || has(self.initProvider.canonicalId)",message="canonicalId is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || has(self.initProvider.mountAccessor)",message="mountAccessor is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.canonicalId) || (has(self.initProvider) && has(self.initProvider.canonicalId))",message="spec.forProvider.canonicalId is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || (has(self.initProvider) && has(self.initProvider.mountAccessor))",message="spec.forProvider.mountAccessor is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec EntityAliasSpec `json:"spec"` Status EntityAliasStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_entitypolicies_terraformed.go b/apis/identity/v1alpha1/zz_entitypolicies_terraformed.go new file mode 100755 index 00000000..79ff9b82 --- /dev/null +++ b/apis/identity/v1alpha1/zz_entitypolicies_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this EntityPolicies +func (mg *EntityPolicies) GetTerraformResourceType() string { + return "vault_identity_entity_policies" +} + +// GetConnectionDetailsMapping for this EntityPolicies +func (tr *EntityPolicies) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this EntityPolicies +func (tr *EntityPolicies) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this EntityPolicies +func (tr *EntityPolicies) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this EntityPolicies +func (tr *EntityPolicies) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this EntityPolicies +func (tr *EntityPolicies) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this EntityPolicies +func (tr *EntityPolicies) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this EntityPolicies +func (tr *EntityPolicies) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this EntityPolicies +func (tr *EntityPolicies) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this EntityPolicies using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *EntityPolicies) LateInitialize(attrs []byte) (bool, error) { + params := &EntityPoliciesParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *EntityPolicies) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_entitypolicies_types.go b/apis/identity/v1alpha1/zz_entitypolicies_types.go index 2652d1f2..c1ec61e9 100755 --- a/apis/identity/v1alpha1/zz_entitypolicies_types.go +++ b/apis/identity/v1alpha1/zz_entitypolicies_types.go @@ -17,8 +17,18 @@ type EntityPoliciesInitParameters struct { // Entity ID to assign policies to. // ID of the entity. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.Entity + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"` + // Reference to a Entity in identity to populate entityId. + // +kubebuilder:validation:Optional + EntityIDRef *v1.Reference `json:"entityIdRef,omitempty" tf:"-"` + + // Selector for a Entity in identity to populate entityId. + // +kubebuilder:validation:Optional + EntityIDSelector *v1.Selector `json:"entityIdSelector,omitempty" tf:"-"` + // Defaults to true. // Should the resource manage policies exclusively Exclusive *bool `json:"exclusive,omitempty" tf:"exclusive,omitempty"` @@ -32,6 +42,7 @@ type EntityPoliciesInitParameters struct { // List of policies to assign to the entity // Policies to be tied to the entity. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -60,6 +71,7 @@ type EntityPoliciesObservation struct { // List of policies to assign to the entity // Policies to be tied to the entity. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -67,9 +79,19 @@ type EntityPoliciesParameters struct { // Entity ID to assign policies to. // ID of the entity. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.Entity + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() // +kubebuilder:validation:Optional EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"` + // Reference to a Entity in identity to populate entityId. + // +kubebuilder:validation:Optional + EntityIDRef *v1.Reference `json:"entityIdRef,omitempty" tf:"-"` + + // Selector for a Entity in identity to populate entityId. + // +kubebuilder:validation:Optional + EntityIDSelector *v1.Selector `json:"entityIdSelector,omitempty" tf:"-"` + // Defaults to true. // Should the resource manage policies exclusively // +kubebuilder:validation:Optional @@ -86,6 +108,7 @@ type EntityPoliciesParameters struct { // List of policies to assign to the entity // Policies to be tied to the entity. // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -93,9 +116,8 @@ type EntityPoliciesParameters struct { type EntityPoliciesSpec struct { v1.ResourceSpec `json:",inline"` ForProvider EntityPoliciesParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -114,19 +136,19 @@ type EntityPoliciesStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // EntityPolicies is the Schema for the EntityPoliciess API. Manages policies for an Identity Entity for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type EntityPolicies struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.entityId) || has(self.initProvider.entityId)",message="entityId is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policies) || has(self.initProvider.policies)",message="policies is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policies) || (has(self.initProvider) && has(self.initProvider.policies))",message="spec.forProvider.policies is a required parameter" Spec EntityPoliciesSpec `json:"spec"` Status EntityPoliciesStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_generated.conversion_hubs.go b/apis/identity/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..fa940196 --- /dev/null +++ b/apis/identity/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,70 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Entity) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *EntityAlias) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *EntityPolicies) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Group) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *GroupAlias) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *GroupMemberEntityIds) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *GroupMemberGroupIds) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *GroupPolicies) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *MfaDuo) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *MfaLoginEnforcement) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *MfaOkta) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *MfaPingid) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *MfaTotp) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Oidc) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *OidcAssignment) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *OidcClient) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *OidcKey) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *OidcKeyAllowedClientID) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *OidcProvider) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *OidcRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *OidcScope) Hub() {} diff --git a/apis/identity/v1alpha1/zz_generated.deepcopy.go b/apis/identity/v1alpha1/zz_generated.deepcopy.go index 0c816799..269aae4a 100644 --- a/apis/identity/v1alpha1/zz_generated.deepcopy.go +++ b/apis/identity/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -83,7 +83,8 @@ func (in *EntityAliasInitParameters) DeepCopyInto(out *EntityAliasInitParameters if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -165,7 +166,8 @@ func (in *EntityAliasObservation) DeepCopyInto(out *EntityAliasObservation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -220,7 +222,8 @@ func (in *EntityAliasParameters) DeepCopyInto(out *EntityAliasParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -310,7 +313,8 @@ func (in *EntityInitParameters) DeepCopyInto(out *EntityInitParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -408,7 +412,8 @@ func (in *EntityObservation) DeepCopyInto(out *EntityObservation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -469,7 +474,8 @@ func (in *EntityParameters) DeepCopyInto(out *EntityParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -544,6 +550,16 @@ func (in *EntityPoliciesInitParameters) DeepCopyInto(out *EntityPoliciesInitPara *out = new(string) **out = **in } + if in.EntityIDRef != nil { + in, out := &in.EntityIDRef, &out.EntityIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.EntityIDSelector != nil { + in, out := &in.EntityIDSelector, &out.EntityIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Exclusive != nil { in, out := &in.Exclusive, &out.Exclusive *out = new(bool) @@ -668,6 +684,16 @@ func (in *EntityPoliciesParameters) DeepCopyInto(out *EntityPoliciesParameters) *out = new(string) **out = **in } + if in.EntityIDRef != nil { + in, out := &in.EntityIDRef, &out.EntityIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.EntityIDSelector != nil { + in, out := &in.EntityIDSelector, &out.EntityIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Exclusive != nil { in, out := &in.Exclusive, &out.Exclusive *out = new(bool) @@ -833,11 +859,31 @@ func (in *GroupAliasInitParameters) DeepCopyInto(out *GroupAliasInitParameters) *out = new(string) **out = **in } + if in.CanonicalIDRef != nil { + in, out := &in.CanonicalIDRef, &out.CanonicalIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.CanonicalIDSelector != nil { + in, out := &in.CanonicalIDSelector, &out.CanonicalIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.MountAccessor != nil { in, out := &in.MountAccessor, &out.MountAccessor *out = new(string) **out = **in } + if in.MountAccessorRef != nil { + in, out := &in.MountAccessorRef, &out.MountAccessorRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountAccessorSelector != nil { + in, out := &in.MountAccessorSelector, &out.MountAccessorSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -940,11 +986,31 @@ func (in *GroupAliasParameters) DeepCopyInto(out *GroupAliasParameters) { *out = new(string) **out = **in } + if in.CanonicalIDRef != nil { + in, out := &in.CanonicalIDRef, &out.CanonicalIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.CanonicalIDSelector != nil { + in, out := &in.CanonicalIDSelector, &out.CanonicalIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.MountAccessor != nil { in, out := &in.MountAccessor, &out.MountAccessor *out = new(string) **out = **in } + if in.MountAccessorRef != nil { + in, out := &in.MountAccessorRef, &out.MountAccessorRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountAccessorSelector != nil { + in, out := &in.MountAccessorSelector, &out.MountAccessorSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -1050,7 +1116,8 @@ func (in *GroupInitParameters) DeepCopyInto(out *GroupInitParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1167,6 +1234,16 @@ func (in *GroupMemberEntityIdsInitParameters) DeepCopyInto(out *GroupMemberEntit *out = new(string) **out = **in } + if in.GroupIDRef != nil { + in, out := &in.GroupIDRef, &out.GroupIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.GroupIDSelector != nil { + in, out := &in.GroupIDSelector, &out.GroupIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.MemberEntityIds != nil { in, out := &in.MemberEntityIds, &out.MemberEntityIds *out = make([]*string, len(*in)) @@ -1240,11 +1317,6 @@ func (in *GroupMemberEntityIdsObservation) DeepCopyInto(out *GroupMemberEntityId *out = new(string) **out = **in } - if in.GroupName != nil { - in, out := &in.GroupName, &out.GroupName - *out = new(string) - **out = **in - } if in.ID != nil { in, out := &in.ID, &out.ID *out = new(string) @@ -1291,6 +1363,16 @@ func (in *GroupMemberEntityIdsParameters) DeepCopyInto(out *GroupMemberEntityIds *out = new(string) **out = **in } + if in.GroupIDRef != nil { + in, out := &in.GroupIDRef, &out.GroupIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.GroupIDSelector != nil { + in, out := &in.GroupIDSelector, &out.GroupIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.MemberEntityIds != nil { in, out := &in.MemberEntityIds, &out.MemberEntityIds *out = make([]*string, len(*in)) @@ -1394,6 +1476,16 @@ func (in *GroupMemberGroupIdsInitParameters) DeepCopyInto(out *GroupMemberGroupI *out = new(string) **out = **in } + if in.GroupIDRef != nil { + in, out := &in.GroupIDRef, &out.GroupIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.GroupIDSelector != nil { + in, out := &in.GroupIDSelector, &out.GroupIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.MemberGroupIds != nil { in, out := &in.MemberGroupIds, &out.MemberGroupIds *out = make([]*string, len(*in)) @@ -1513,6 +1605,16 @@ func (in *GroupMemberGroupIdsParameters) DeepCopyInto(out *GroupMemberGroupIdsPa *out = new(string) **out = **in } + if in.GroupIDRef != nil { + in, out := &in.GroupIDRef, &out.GroupIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.GroupIDSelector != nil { + in, out := &in.GroupIDSelector, &out.GroupIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.MemberGroupIds != nil { in, out := &in.MemberGroupIds, &out.MemberGroupIds *out = make([]*string, len(*in)) @@ -1629,7 +1731,8 @@ func (in *GroupObservation) DeepCopyInto(out *GroupObservation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1722,7 +1825,8 @@ func (in *GroupParameters) DeepCopyInto(out *GroupParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1807,6 +1911,16 @@ func (in *GroupPoliciesInitParameters) DeepCopyInto(out *GroupPoliciesInitParame *out = new(string) **out = **in } + if in.GroupIDRef != nil { + in, out := &in.GroupIDRef, &out.GroupIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.GroupIDSelector != nil { + in, out := &in.GroupIDSelector, &out.GroupIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -1931,6 +2045,16 @@ func (in *GroupPoliciesParameters) DeepCopyInto(out *GroupPoliciesParameters) { *out = new(string) **out = **in } + if in.GroupIDRef != nil { + in, out := &in.GroupIDRef, &out.GroupIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.GroupIDSelector != nil { + in, out := &in.GroupIDSelector, &out.GroupIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -2064,6 +2188,7 @@ func (in *MfaDuoInitParameters) DeepCopyInto(out *MfaDuoInitParameters) { *out = new(string) **out = **in } + out.IntegrationKeySecretRef = in.IntegrationKeySecretRef if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -2074,6 +2199,7 @@ func (in *MfaDuoInitParameters) DeepCopyInto(out *MfaDuoInitParameters) { *out = new(string) **out = **in } + out.SecretKeySecretRef = in.SecretKeySecretRef if in.UsePasscode != nil { in, out := &in.UsePasscode, &out.UsePasscode *out = new(bool) @@ -2669,6 +2795,7 @@ func (in *MfaOkta) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MfaOktaInitParameters) DeepCopyInto(out *MfaOktaInitParameters) { *out = *in + out.APITokenSecretRef = in.APITokenSecretRef if in.BaseURL != nil { in, out := &in.BaseURL, &out.BaseURL *out = new(string) @@ -4116,11 +4243,31 @@ func (in *OidcKeyAllowedClientIDInitParameters) DeepCopyInto(out *OidcKeyAllowed *out = new(string) **out = **in } + if in.AllowedClientIDRef != nil { + in, out := &in.AllowedClientIDRef, &out.AllowedClientIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.AllowedClientIDSelector != nil { + in, out := &in.AllowedClientIDSelector, &out.AllowedClientIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.KeyName != nil { in, out := &in.KeyName, &out.KeyName *out = new(string) **out = **in } + if in.KeyNameRef != nil { + in, out := &in.KeyNameRef, &out.KeyNameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.KeyNameSelector != nil { + in, out := &in.KeyNameSelector, &out.KeyNameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -4213,11 +4360,31 @@ func (in *OidcKeyAllowedClientIDParameters) DeepCopyInto(out *OidcKeyAllowedClie *out = new(string) **out = **in } + if in.AllowedClientIDRef != nil { + in, out := &in.AllowedClientIDRef, &out.AllowedClientIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.AllowedClientIDSelector != nil { + in, out := &in.AllowedClientIDSelector, &out.AllowedClientIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.KeyName != nil { in, out := &in.KeyName, &out.KeyName *out = new(string) **out = **in } + if in.KeyNameRef != nil { + in, out := &in.KeyNameRef, &out.KeyNameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.KeyNameSelector != nil { + in, out := &in.KeyNameSelector, &out.KeyNameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -4897,6 +5064,16 @@ func (in *OidcRoleInitParameters) DeepCopyInto(out *OidcRoleInitParameters) { *out = new(string) **out = **in } + if in.KeyRef != nil { + in, out := &in.KeyRef, &out.KeyRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.KeySelector != nil { + in, out := &in.KeySelector, &out.KeySelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -5024,6 +5201,16 @@ func (in *OidcRoleParameters) DeepCopyInto(out *OidcRoleParameters) { *out = new(string) **out = **in } + if in.KeyRef != nil { + in, out := &in.KeyRef, &out.KeyRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.KeySelector != nil { + in, out := &in.KeySelector, &out.KeySelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) diff --git a/apis/identity/v1alpha1/zz_generated.managed.go b/apis/identity/v1alpha1/zz_generated.managed.go index 35ee8551..0d927ed9 100644 --- a/apis/identity/v1alpha1/zz_generated.managed.go +++ b/apis/identity/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Entity) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Entity. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Entity) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Entity. func (mg *Entity) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Entity) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Entity. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Entity) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Entity. func (mg *Entity) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *EntityAlias) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this EntityAlias. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *EntityAlias) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this EntityAlias. func (mg *EntityAlias) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *EntityAlias) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this EntityAlias. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *EntityAlias) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this EntityAlias. func (mg *EntityAlias) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *EntityPolicies) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this EntityPolicies. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *EntityPolicies) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this EntityPolicies. func (mg *EntityPolicies) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *EntityPolicies) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this EntityPolicies. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *EntityPolicies) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this EntityPolicies. func (mg *EntityPolicies) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -255,14 +207,6 @@ func (mg *Group) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Group. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Group) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Group. func (mg *Group) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -293,14 +237,6 @@ func (mg *Group) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Group. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Group) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Group. func (mg *Group) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -331,14 +267,6 @@ func (mg *GroupAlias) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this GroupAlias. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *GroupAlias) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this GroupAlias. func (mg *GroupAlias) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -369,14 +297,6 @@ func (mg *GroupAlias) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this GroupAlias. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *GroupAlias) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this GroupAlias. func (mg *GroupAlias) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -407,14 +327,6 @@ func (mg *GroupMemberEntityIds) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this GroupMemberEntityIds. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *GroupMemberEntityIds) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this GroupMemberEntityIds. func (mg *GroupMemberEntityIds) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -445,14 +357,6 @@ func (mg *GroupMemberEntityIds) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this GroupMemberEntityIds. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *GroupMemberEntityIds) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this GroupMemberEntityIds. func (mg *GroupMemberEntityIds) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -483,14 +387,6 @@ func (mg *GroupMemberGroupIds) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this GroupMemberGroupIds. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *GroupMemberGroupIds) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this GroupMemberGroupIds. func (mg *GroupMemberGroupIds) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -521,14 +417,6 @@ func (mg *GroupMemberGroupIds) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this GroupMemberGroupIds. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *GroupMemberGroupIds) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this GroupMemberGroupIds. func (mg *GroupMemberGroupIds) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -559,14 +447,6 @@ func (mg *GroupPolicies) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this GroupPolicies. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *GroupPolicies) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this GroupPolicies. func (mg *GroupPolicies) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -597,14 +477,6 @@ func (mg *GroupPolicies) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this GroupPolicies. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *GroupPolicies) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this GroupPolicies. func (mg *GroupPolicies) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -635,14 +507,6 @@ func (mg *MfaDuo) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this MfaDuo. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *MfaDuo) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this MfaDuo. func (mg *MfaDuo) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -673,14 +537,6 @@ func (mg *MfaDuo) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this MfaDuo. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *MfaDuo) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this MfaDuo. func (mg *MfaDuo) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -711,14 +567,6 @@ func (mg *MfaLoginEnforcement) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this MfaLoginEnforcement. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *MfaLoginEnforcement) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this MfaLoginEnforcement. func (mg *MfaLoginEnforcement) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -749,14 +597,6 @@ func (mg *MfaLoginEnforcement) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this MfaLoginEnforcement. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *MfaLoginEnforcement) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this MfaLoginEnforcement. func (mg *MfaLoginEnforcement) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -787,14 +627,6 @@ func (mg *MfaOkta) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this MfaOkta. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *MfaOkta) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this MfaOkta. func (mg *MfaOkta) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -825,14 +657,6 @@ func (mg *MfaOkta) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this MfaOkta. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *MfaOkta) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this MfaOkta. func (mg *MfaOkta) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -863,14 +687,6 @@ func (mg *MfaPingid) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this MfaPingid. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *MfaPingid) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this MfaPingid. func (mg *MfaPingid) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -901,14 +717,6 @@ func (mg *MfaPingid) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this MfaPingid. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *MfaPingid) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this MfaPingid. func (mg *MfaPingid) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -939,14 +747,6 @@ func (mg *MfaTotp) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this MfaTotp. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *MfaTotp) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this MfaTotp. func (mg *MfaTotp) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -977,14 +777,6 @@ func (mg *MfaTotp) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this MfaTotp. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *MfaTotp) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this MfaTotp. func (mg *MfaTotp) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -1015,14 +807,6 @@ func (mg *Oidc) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Oidc. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Oidc) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Oidc. func (mg *Oidc) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -1053,14 +837,6 @@ func (mg *Oidc) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Oidc. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Oidc) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Oidc. func (mg *Oidc) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -1091,14 +867,6 @@ func (mg *OidcAssignment) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this OidcAssignment. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *OidcAssignment) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this OidcAssignment. func (mg *OidcAssignment) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -1129,14 +897,6 @@ func (mg *OidcAssignment) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this OidcAssignment. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *OidcAssignment) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this OidcAssignment. func (mg *OidcAssignment) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -1167,14 +927,6 @@ func (mg *OidcClient) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this OidcClient. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *OidcClient) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this OidcClient. func (mg *OidcClient) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -1205,14 +957,6 @@ func (mg *OidcClient) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this OidcClient. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *OidcClient) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this OidcClient. func (mg *OidcClient) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -1243,14 +987,6 @@ func (mg *OidcKey) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this OidcKey. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *OidcKey) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this OidcKey. func (mg *OidcKey) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -1281,14 +1017,6 @@ func (mg *OidcKey) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this OidcKey. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *OidcKey) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this OidcKey. func (mg *OidcKey) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -1319,14 +1047,6 @@ func (mg *OidcKeyAllowedClientID) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this OidcKeyAllowedClientID. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *OidcKeyAllowedClientID) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this OidcKeyAllowedClientID. func (mg *OidcKeyAllowedClientID) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -1357,14 +1077,6 @@ func (mg *OidcKeyAllowedClientID) SetProviderConfigReference(r *xpv1.Reference) mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this OidcKeyAllowedClientID. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *OidcKeyAllowedClientID) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this OidcKeyAllowedClientID. func (mg *OidcKeyAllowedClientID) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -1395,14 +1107,6 @@ func (mg *OidcProvider) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this OidcProvider. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *OidcProvider) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this OidcProvider. func (mg *OidcProvider) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -1433,14 +1137,6 @@ func (mg *OidcProvider) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this OidcProvider. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *OidcProvider) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this OidcProvider. func (mg *OidcProvider) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -1471,14 +1167,6 @@ func (mg *OidcRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this OidcRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *OidcRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this OidcRole. func (mg *OidcRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -1509,14 +1197,6 @@ func (mg *OidcRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this OidcRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *OidcRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this OidcRole. func (mg *OidcRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -1547,14 +1227,6 @@ func (mg *OidcScope) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this OidcScope. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *OidcScope) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this OidcScope. func (mg *OidcScope) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -1585,14 +1257,6 @@ func (mg *OidcScope) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this OidcScope. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *OidcScope) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this OidcScope. func (mg *OidcScope) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/identity/v1alpha1/zz_generated.resolvers.go b/apis/identity/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..f2d01e13 --- /dev/null +++ b/apis/identity/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,373 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/auth/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this EntityPolicies. +func (mg *EntityPolicies) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.EntityID), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.ForProvider.EntityIDRef, + Selector: mg.Spec.ForProvider.EntityIDSelector, + To: reference.To{ + List: &EntityList{}, + Managed: &Entity{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.EntityID") + } + mg.Spec.ForProvider.EntityID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.EntityIDRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.EntityID), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.InitProvider.EntityIDRef, + Selector: mg.Spec.InitProvider.EntityIDSelector, + To: reference.To{ + List: &EntityList{}, + Managed: &Entity{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.EntityID") + } + mg.Spec.InitProvider.EntityID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.EntityIDRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this GroupAlias. +func (mg *GroupAlias) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.CanonicalID), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.ForProvider.CanonicalIDRef, + Selector: mg.Spec.ForProvider.CanonicalIDSelector, + To: reference.To{ + List: &GroupList{}, + Managed: &Group{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.CanonicalID") + } + mg.Spec.ForProvider.CanonicalID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.CanonicalIDRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.MountAccessor), + Extract: resource.ExtractParamPath("accessor", true), + Reference: mg.Spec.ForProvider.MountAccessorRef, + Selector: mg.Spec.ForProvider.MountAccessorSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.MountAccessor") + } + mg.Spec.ForProvider.MountAccessor = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.MountAccessorRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.CanonicalID), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.InitProvider.CanonicalIDRef, + Selector: mg.Spec.InitProvider.CanonicalIDSelector, + To: reference.To{ + List: &GroupList{}, + Managed: &Group{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.CanonicalID") + } + mg.Spec.InitProvider.CanonicalID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.CanonicalIDRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.MountAccessor), + Extract: resource.ExtractParamPath("accessor", true), + Reference: mg.Spec.InitProvider.MountAccessorRef, + Selector: mg.Spec.InitProvider.MountAccessorSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.MountAccessor") + } + mg.Spec.InitProvider.MountAccessor = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.MountAccessorRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this GroupMemberEntityIds. +func (mg *GroupMemberEntityIds) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.GroupID), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.ForProvider.GroupIDRef, + Selector: mg.Spec.ForProvider.GroupIDSelector, + To: reference.To{ + List: &GroupList{}, + Managed: &Group{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.GroupID") + } + mg.Spec.ForProvider.GroupID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.GroupIDRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.GroupID), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.InitProvider.GroupIDRef, + Selector: mg.Spec.InitProvider.GroupIDSelector, + To: reference.To{ + List: &GroupList{}, + Managed: &Group{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.GroupID") + } + mg.Spec.InitProvider.GroupID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.GroupIDRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this GroupMemberGroupIds. +func (mg *GroupMemberGroupIds) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.GroupID), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.ForProvider.GroupIDRef, + Selector: mg.Spec.ForProvider.GroupIDSelector, + To: reference.To{ + List: &GroupList{}, + Managed: &Group{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.GroupID") + } + mg.Spec.ForProvider.GroupID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.GroupIDRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.GroupID), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.InitProvider.GroupIDRef, + Selector: mg.Spec.InitProvider.GroupIDSelector, + To: reference.To{ + List: &GroupList{}, + Managed: &Group{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.GroupID") + } + mg.Spec.InitProvider.GroupID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.GroupIDRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this GroupPolicies. +func (mg *GroupPolicies) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.GroupID), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.ForProvider.GroupIDRef, + Selector: mg.Spec.ForProvider.GroupIDSelector, + To: reference.To{ + List: &GroupList{}, + Managed: &Group{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.GroupID") + } + mg.Spec.ForProvider.GroupID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.GroupIDRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.GroupID), + Extract: resource.ExtractResourceID(), + Reference: mg.Spec.InitProvider.GroupIDRef, + Selector: mg.Spec.InitProvider.GroupIDSelector, + To: reference.To{ + List: &GroupList{}, + Managed: &Group{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.GroupID") + } + mg.Spec.InitProvider.GroupID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.GroupIDRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this OidcKeyAllowedClientID. +func (mg *OidcKeyAllowedClientID) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.AllowedClientID), + Extract: resource.ExtractParamPath("client_id", false), + Reference: mg.Spec.ForProvider.AllowedClientIDRef, + Selector: mg.Spec.ForProvider.AllowedClientIDSelector, + To: reference.To{ + List: &OidcRoleList{}, + Managed: &OidcRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.AllowedClientID") + } + mg.Spec.ForProvider.AllowedClientID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.AllowedClientIDRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.KeyName), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.ForProvider.KeyNameRef, + Selector: mg.Spec.ForProvider.KeyNameSelector, + To: reference.To{ + List: &OidcKeyList{}, + Managed: &OidcKey{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.KeyName") + } + mg.Spec.ForProvider.KeyName = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.KeyNameRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.AllowedClientID), + Extract: resource.ExtractParamPath("client_id", false), + Reference: mg.Spec.InitProvider.AllowedClientIDRef, + Selector: mg.Spec.InitProvider.AllowedClientIDSelector, + To: reference.To{ + List: &OidcRoleList{}, + Managed: &OidcRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.AllowedClientID") + } + mg.Spec.InitProvider.AllowedClientID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.AllowedClientIDRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.KeyName), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.InitProvider.KeyNameRef, + Selector: mg.Spec.InitProvider.KeyNameSelector, + To: reference.To{ + List: &OidcKeyList{}, + Managed: &OidcKey{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.KeyName") + } + mg.Spec.InitProvider.KeyName = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.KeyNameRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this OidcRole. +func (mg *OidcRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Key), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.ForProvider.KeyRef, + Selector: mg.Spec.ForProvider.KeySelector, + To: reference.To{ + List: &OidcKeyList{}, + Managed: &OidcKey{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Key") + } + mg.Spec.ForProvider.Key = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.KeyRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Key), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.InitProvider.KeyRef, + Selector: mg.Spec.InitProvider.KeySelector, + To: reference.To{ + List: &OidcKeyList{}, + Managed: &OidcKey{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Key") + } + mg.Spec.InitProvider.Key = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.KeyRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/identity/v1alpha1/zz_generated_terraformed.go b/apis/identity/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index e5c18ac8..00000000 --- a/apis/identity/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,1778 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this Entity -func (mg *Entity) GetTerraformResourceType() string { - return "vault_identity_entity" -} - -// GetConnectionDetailsMapping for this Entity -func (tr *Entity) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Entity -func (tr *Entity) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Entity -func (tr *Entity) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Entity -func (tr *Entity) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Entity -func (tr *Entity) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Entity -func (tr *Entity) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Entity -func (tr *Entity) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Entity using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Entity) LateInitialize(attrs []byte) (bool, error) { - params := &EntityParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Entity) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this EntityAlias -func (mg *EntityAlias) GetTerraformResourceType() string { - return "vault_identity_entity_alias" -} - -// GetConnectionDetailsMapping for this EntityAlias -func (tr *EntityAlias) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this EntityAlias -func (tr *EntityAlias) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this EntityAlias -func (tr *EntityAlias) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this EntityAlias -func (tr *EntityAlias) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this EntityAlias -func (tr *EntityAlias) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this EntityAlias -func (tr *EntityAlias) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this EntityAlias -func (tr *EntityAlias) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this EntityAlias using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *EntityAlias) LateInitialize(attrs []byte) (bool, error) { - params := &EntityAliasParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *EntityAlias) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this EntityPolicies -func (mg *EntityPolicies) GetTerraformResourceType() string { - return "vault_identity_entity_policies" -} - -// GetConnectionDetailsMapping for this EntityPolicies -func (tr *EntityPolicies) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this EntityPolicies -func (tr *EntityPolicies) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this EntityPolicies -func (tr *EntityPolicies) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this EntityPolicies -func (tr *EntityPolicies) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this EntityPolicies -func (tr *EntityPolicies) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this EntityPolicies -func (tr *EntityPolicies) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this EntityPolicies -func (tr *EntityPolicies) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this EntityPolicies using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *EntityPolicies) LateInitialize(attrs []byte) (bool, error) { - params := &EntityPoliciesParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *EntityPolicies) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Group -func (mg *Group) GetTerraformResourceType() string { - return "vault_identity_group" -} - -// GetConnectionDetailsMapping for this Group -func (tr *Group) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Group -func (tr *Group) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Group -func (tr *Group) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Group -func (tr *Group) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Group -func (tr *Group) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Group -func (tr *Group) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Group -func (tr *Group) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Group using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Group) LateInitialize(attrs []byte) (bool, error) { - params := &GroupParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Group) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this GroupAlias -func (mg *GroupAlias) GetTerraformResourceType() string { - return "vault_identity_group_alias" -} - -// GetConnectionDetailsMapping for this GroupAlias -func (tr *GroupAlias) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this GroupAlias -func (tr *GroupAlias) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this GroupAlias -func (tr *GroupAlias) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this GroupAlias -func (tr *GroupAlias) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this GroupAlias -func (tr *GroupAlias) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this GroupAlias -func (tr *GroupAlias) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this GroupAlias -func (tr *GroupAlias) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this GroupAlias using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *GroupAlias) LateInitialize(attrs []byte) (bool, error) { - params := &GroupAliasParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *GroupAlias) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this GroupMemberEntityIds -func (mg *GroupMemberEntityIds) GetTerraformResourceType() string { - return "vault_identity_group_member_entity_ids" -} - -// GetConnectionDetailsMapping for this GroupMemberEntityIds -func (tr *GroupMemberEntityIds) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this GroupMemberEntityIds -func (tr *GroupMemberEntityIds) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this GroupMemberEntityIds -func (tr *GroupMemberEntityIds) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this GroupMemberEntityIds -func (tr *GroupMemberEntityIds) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this GroupMemberEntityIds -func (tr *GroupMemberEntityIds) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this GroupMemberEntityIds -func (tr *GroupMemberEntityIds) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this GroupMemberEntityIds -func (tr *GroupMemberEntityIds) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this GroupMemberEntityIds using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *GroupMemberEntityIds) LateInitialize(attrs []byte) (bool, error) { - params := &GroupMemberEntityIdsParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *GroupMemberEntityIds) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this GroupMemberGroupIds -func (mg *GroupMemberGroupIds) GetTerraformResourceType() string { - return "vault_identity_group_member_group_ids" -} - -// GetConnectionDetailsMapping for this GroupMemberGroupIds -func (tr *GroupMemberGroupIds) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this GroupMemberGroupIds -func (tr *GroupMemberGroupIds) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this GroupMemberGroupIds -func (tr *GroupMemberGroupIds) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this GroupMemberGroupIds -func (tr *GroupMemberGroupIds) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this GroupMemberGroupIds -func (tr *GroupMemberGroupIds) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this GroupMemberGroupIds -func (tr *GroupMemberGroupIds) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this GroupMemberGroupIds -func (tr *GroupMemberGroupIds) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this GroupMemberGroupIds using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *GroupMemberGroupIds) LateInitialize(attrs []byte) (bool, error) { - params := &GroupMemberGroupIdsParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *GroupMemberGroupIds) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this GroupPolicies -func (mg *GroupPolicies) GetTerraformResourceType() string { - return "vault_identity_group_policies" -} - -// GetConnectionDetailsMapping for this GroupPolicies -func (tr *GroupPolicies) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this GroupPolicies -func (tr *GroupPolicies) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this GroupPolicies -func (tr *GroupPolicies) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this GroupPolicies -func (tr *GroupPolicies) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this GroupPolicies -func (tr *GroupPolicies) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this GroupPolicies -func (tr *GroupPolicies) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this GroupPolicies -func (tr *GroupPolicies) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this GroupPolicies using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *GroupPolicies) LateInitialize(attrs []byte) (bool, error) { - params := &GroupPoliciesParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *GroupPolicies) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this MfaDuo -func (mg *MfaDuo) GetTerraformResourceType() string { - return "vault_identity_mfa_duo" -} - -// GetConnectionDetailsMapping for this MfaDuo -func (tr *MfaDuo) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"integration_key": "spec.forProvider.integrationKeySecretRef", "secret_key": "spec.forProvider.secretKeySecretRef"} -} - -// GetObservation of this MfaDuo -func (tr *MfaDuo) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this MfaDuo -func (tr *MfaDuo) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this MfaDuo -func (tr *MfaDuo) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this MfaDuo -func (tr *MfaDuo) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this MfaDuo -func (tr *MfaDuo) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this MfaDuo -func (tr *MfaDuo) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this MfaDuo using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *MfaDuo) LateInitialize(attrs []byte) (bool, error) { - params := &MfaDuoParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *MfaDuo) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this MfaLoginEnforcement -func (mg *MfaLoginEnforcement) GetTerraformResourceType() string { - return "vault_identity_mfa_login_enforcement" -} - -// GetConnectionDetailsMapping for this MfaLoginEnforcement -func (tr *MfaLoginEnforcement) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this MfaLoginEnforcement -func (tr *MfaLoginEnforcement) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this MfaLoginEnforcement -func (tr *MfaLoginEnforcement) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this MfaLoginEnforcement -func (tr *MfaLoginEnforcement) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this MfaLoginEnforcement -func (tr *MfaLoginEnforcement) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this MfaLoginEnforcement -func (tr *MfaLoginEnforcement) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this MfaLoginEnforcement -func (tr *MfaLoginEnforcement) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this MfaLoginEnforcement using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *MfaLoginEnforcement) LateInitialize(attrs []byte) (bool, error) { - params := &MfaLoginEnforcementParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *MfaLoginEnforcement) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this MfaOkta -func (mg *MfaOkta) GetTerraformResourceType() string { - return "vault_identity_mfa_okta" -} - -// GetConnectionDetailsMapping for this MfaOkta -func (tr *MfaOkta) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"api_token": "spec.forProvider.apiTokenSecretRef"} -} - -// GetObservation of this MfaOkta -func (tr *MfaOkta) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this MfaOkta -func (tr *MfaOkta) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this MfaOkta -func (tr *MfaOkta) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this MfaOkta -func (tr *MfaOkta) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this MfaOkta -func (tr *MfaOkta) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this MfaOkta -func (tr *MfaOkta) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this MfaOkta using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *MfaOkta) LateInitialize(attrs []byte) (bool, error) { - params := &MfaOktaParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *MfaOkta) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this MfaPingid -func (mg *MfaPingid) GetTerraformResourceType() string { - return "vault_identity_mfa_pingid" -} - -// GetConnectionDetailsMapping for this MfaPingid -func (tr *MfaPingid) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this MfaPingid -func (tr *MfaPingid) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this MfaPingid -func (tr *MfaPingid) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this MfaPingid -func (tr *MfaPingid) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this MfaPingid -func (tr *MfaPingid) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this MfaPingid -func (tr *MfaPingid) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this MfaPingid -func (tr *MfaPingid) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this MfaPingid using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *MfaPingid) LateInitialize(attrs []byte) (bool, error) { - params := &MfaPingidParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *MfaPingid) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this MfaTotp -func (mg *MfaTotp) GetTerraformResourceType() string { - return "vault_identity_mfa_totp" -} - -// GetConnectionDetailsMapping for this MfaTotp -func (tr *MfaTotp) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this MfaTotp -func (tr *MfaTotp) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this MfaTotp -func (tr *MfaTotp) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this MfaTotp -func (tr *MfaTotp) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this MfaTotp -func (tr *MfaTotp) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this MfaTotp -func (tr *MfaTotp) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this MfaTotp -func (tr *MfaTotp) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this MfaTotp using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *MfaTotp) LateInitialize(attrs []byte) (bool, error) { - params := &MfaTotpParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *MfaTotp) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Oidc -func (mg *Oidc) GetTerraformResourceType() string { - return "vault_identity_oidc" -} - -// GetConnectionDetailsMapping for this Oidc -func (tr *Oidc) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Oidc -func (tr *Oidc) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Oidc -func (tr *Oidc) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Oidc -func (tr *Oidc) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Oidc -func (tr *Oidc) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Oidc -func (tr *Oidc) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Oidc -func (tr *Oidc) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Oidc using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Oidc) LateInitialize(attrs []byte) (bool, error) { - params := &OidcParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Oidc) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this OidcAssignment -func (mg *OidcAssignment) GetTerraformResourceType() string { - return "vault_identity_oidc_assignment" -} - -// GetConnectionDetailsMapping for this OidcAssignment -func (tr *OidcAssignment) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this OidcAssignment -func (tr *OidcAssignment) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this OidcAssignment -func (tr *OidcAssignment) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this OidcAssignment -func (tr *OidcAssignment) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this OidcAssignment -func (tr *OidcAssignment) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this OidcAssignment -func (tr *OidcAssignment) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this OidcAssignment -func (tr *OidcAssignment) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this OidcAssignment using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *OidcAssignment) LateInitialize(attrs []byte) (bool, error) { - params := &OidcAssignmentParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *OidcAssignment) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this OidcClient -func (mg *OidcClient) GetTerraformResourceType() string { - return "vault_identity_oidc_client" -} - -// GetConnectionDetailsMapping for this OidcClient -func (tr *OidcClient) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"client_secret": "status.atProvider.clientSecret"} -} - -// GetObservation of this OidcClient -func (tr *OidcClient) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this OidcClient -func (tr *OidcClient) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this OidcClient -func (tr *OidcClient) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this OidcClient -func (tr *OidcClient) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this OidcClient -func (tr *OidcClient) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this OidcClient -func (tr *OidcClient) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this OidcClient using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *OidcClient) LateInitialize(attrs []byte) (bool, error) { - params := &OidcClientParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *OidcClient) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this OidcKey -func (mg *OidcKey) GetTerraformResourceType() string { - return "vault_identity_oidc_key" -} - -// GetConnectionDetailsMapping for this OidcKey -func (tr *OidcKey) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this OidcKey -func (tr *OidcKey) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this OidcKey -func (tr *OidcKey) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this OidcKey -func (tr *OidcKey) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this OidcKey -func (tr *OidcKey) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this OidcKey -func (tr *OidcKey) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this OidcKey -func (tr *OidcKey) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this OidcKey using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *OidcKey) LateInitialize(attrs []byte) (bool, error) { - params := &OidcKeyParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *OidcKey) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this OidcKeyAllowedClientID -func (mg *OidcKeyAllowedClientID) GetTerraformResourceType() string { - return "vault_identity_oidc_key_allowed_client_id" -} - -// GetConnectionDetailsMapping for this OidcKeyAllowedClientID -func (tr *OidcKeyAllowedClientID) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this OidcKeyAllowedClientID -func (tr *OidcKeyAllowedClientID) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this OidcKeyAllowedClientID -func (tr *OidcKeyAllowedClientID) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this OidcKeyAllowedClientID -func (tr *OidcKeyAllowedClientID) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this OidcKeyAllowedClientID -func (tr *OidcKeyAllowedClientID) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this OidcKeyAllowedClientID -func (tr *OidcKeyAllowedClientID) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this OidcKeyAllowedClientID -func (tr *OidcKeyAllowedClientID) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this OidcKeyAllowedClientID using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *OidcKeyAllowedClientID) LateInitialize(attrs []byte) (bool, error) { - params := &OidcKeyAllowedClientIDParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *OidcKeyAllowedClientID) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this OidcProvider -func (mg *OidcProvider) GetTerraformResourceType() string { - return "vault_identity_oidc_provider" -} - -// GetConnectionDetailsMapping for this OidcProvider -func (tr *OidcProvider) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this OidcProvider -func (tr *OidcProvider) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this OidcProvider -func (tr *OidcProvider) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this OidcProvider -func (tr *OidcProvider) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this OidcProvider -func (tr *OidcProvider) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this OidcProvider -func (tr *OidcProvider) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this OidcProvider -func (tr *OidcProvider) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this OidcProvider using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *OidcProvider) LateInitialize(attrs []byte) (bool, error) { - params := &OidcProviderParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *OidcProvider) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this OidcRole -func (mg *OidcRole) GetTerraformResourceType() string { - return "vault_identity_oidc_role" -} - -// GetConnectionDetailsMapping for this OidcRole -func (tr *OidcRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this OidcRole -func (tr *OidcRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this OidcRole -func (tr *OidcRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this OidcRole -func (tr *OidcRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this OidcRole -func (tr *OidcRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this OidcRole -func (tr *OidcRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this OidcRole -func (tr *OidcRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this OidcRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *OidcRole) LateInitialize(attrs []byte) (bool, error) { - params := &OidcRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *OidcRole) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this OidcScope -func (mg *OidcScope) GetTerraformResourceType() string { - return "vault_identity_oidc_scope" -} - -// GetConnectionDetailsMapping for this OidcScope -func (tr *OidcScope) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this OidcScope -func (tr *OidcScope) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this OidcScope -func (tr *OidcScope) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this OidcScope -func (tr *OidcScope) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this OidcScope -func (tr *OidcScope) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this OidcScope -func (tr *OidcScope) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this OidcScope -func (tr *OidcScope) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this OidcScope using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *OidcScope) LateInitialize(attrs []byte) (bool, error) { - params := &OidcScopeParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *OidcScope) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/identity/v1alpha1/zz_group_terraformed.go b/apis/identity/v1alpha1/zz_group_terraformed.go new file mode 100755 index 00000000..8d324cb6 --- /dev/null +++ b/apis/identity/v1alpha1/zz_group_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Group +func (mg *Group) GetTerraformResourceType() string { + return "vault_identity_group" +} + +// GetConnectionDetailsMapping for this Group +func (tr *Group) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Group +func (tr *Group) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Group +func (tr *Group) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Group +func (tr *Group) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Group +func (tr *Group) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Group +func (tr *Group) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Group +func (tr *Group) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Group +func (tr *Group) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Group using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Group) LateInitialize(attrs []byte) (bool, error) { + params := &GroupParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Group) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/identity/v1alpha1/zz_group_types.go b/apis/identity/v1alpha1/zz_group_types.go index 8cefb2cd..45b3779d 100755 --- a/apis/identity/v1alpha1/zz_group_types.go +++ b/apis/identity/v1alpha1/zz_group_types.go @@ -37,14 +37,17 @@ type GroupInitParameters struct { // A list of Entity IDs to be assigned as group members. Not allowed on external groups. // Entity IDs to be assigned as group members. + // +listType=set MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"` // A list of Group IDs to be assigned as group members. Not allowed on external groups. // Group IDs to be assigned as group members. + // +listType=set MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"` // A Map of additional metadata to associate with the group. // Metadata to be associated with the group. + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // Name of the identity group to create. @@ -60,6 +63,7 @@ type GroupInitParameters struct { // A list of policies to apply to the group. // Policies to be tied to the group. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // Type of the group, internal or external. Defaults to internal. @@ -94,14 +98,17 @@ type GroupObservation struct { // A list of Entity IDs to be assigned as group members. Not allowed on external groups. // Entity IDs to be assigned as group members. + // +listType=set MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"` // A list of Group IDs to be assigned as group members. Not allowed on external groups. // Group IDs to be assigned as group members. + // +listType=set MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"` // A Map of additional metadata to associate with the group. // Metadata to be associated with the group. + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // Name of the identity group to create. @@ -117,6 +124,7 @@ type GroupObservation struct { // A list of policies to apply to the group. // Policies to be tied to the group. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // Type of the group, internal or external. Defaults to internal. @@ -152,16 +160,19 @@ type GroupParameters struct { // A list of Entity IDs to be assigned as group members. Not allowed on external groups. // Entity IDs to be assigned as group members. // +kubebuilder:validation:Optional + // +listType=set MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"` // A list of Group IDs to be assigned as group members. Not allowed on external groups. // Group IDs to be assigned as group members. // +kubebuilder:validation:Optional + // +listType=set MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"` // A Map of additional metadata to associate with the group. // Metadata to be associated with the group. // +kubebuilder:validation:Optional + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // Name of the identity group to create. @@ -180,6 +191,7 @@ type GroupParameters struct { // A list of policies to apply to the group. // Policies to be tied to the group. // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // Type of the group, internal or external. Defaults to internal. @@ -192,9 +204,8 @@ type GroupParameters struct { type GroupSpec struct { v1.ResourceSpec `json:",inline"` ForProvider GroupParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -213,13 +224,14 @@ type GroupStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Group is the Schema for the Groups API. Creates an Identity Group for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Group struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/identity/v1alpha1/zz_groupalias_terraformed.go b/apis/identity/v1alpha1/zz_groupalias_terraformed.go new file mode 100755 index 00000000..09326e07 --- /dev/null +++ b/apis/identity/v1alpha1/zz_groupalias_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this GroupAlias +func (mg *GroupAlias) GetTerraformResourceType() string { + return "vault_identity_group_alias" +} + +// GetConnectionDetailsMapping for this GroupAlias +func (tr *GroupAlias) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this GroupAlias +func (tr *GroupAlias) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this GroupAlias +func (tr *GroupAlias) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this GroupAlias +func (tr *GroupAlias) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this GroupAlias +func (tr *GroupAlias) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this GroupAlias +func (tr *GroupAlias) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this GroupAlias +func (tr *GroupAlias) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this GroupAlias +func (tr *GroupAlias) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this GroupAlias using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *GroupAlias) LateInitialize(attrs []byte) (bool, error) { + params := &GroupAliasParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *GroupAlias) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_groupalias_types.go b/apis/identity/v1alpha1/zz_groupalias_types.go index 49588eea..71db4749 100755 --- a/apis/identity/v1alpha1/zz_groupalias_types.go +++ b/apis/identity/v1alpha1/zz_groupalias_types.go @@ -17,12 +17,32 @@ type GroupAliasInitParameters struct { // ID of the group to which this is an alias. // ID of the group to which this is an alias. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.Group + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() CanonicalID *string `json:"canonicalId,omitempty" tf:"canonical_id,omitempty"` + // Reference to a Group in identity to populate canonicalId. + // +kubebuilder:validation:Optional + CanonicalIDRef *v1.Reference `json:"canonicalIdRef,omitempty" tf:"-"` + + // Selector for a Group in identity to populate canonicalId. + // +kubebuilder:validation:Optional + CanonicalIDSelector *v1.Selector `json:"canonicalIdSelector,omitempty" tf:"-"` + // Mount accessor of the authentication backend to which this alias belongs to. // Mount accessor to which this alias belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("accessor",true) MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"` + // Reference to a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorRef *v1.Reference `json:"mountAccessorRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorSelector *v1.Selector `json:"mountAccessorSelector,omitempty" tf:"-"` + // Name of the group alias to create. // Name of the group alias. Name *string `json:"name,omitempty" tf:"name,omitempty"` @@ -64,14 +84,34 @@ type GroupAliasParameters struct { // ID of the group to which this is an alias. // ID of the group to which this is an alias. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.Group + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() // +kubebuilder:validation:Optional CanonicalID *string `json:"canonicalId,omitempty" tf:"canonical_id,omitempty"` + // Reference to a Group in identity to populate canonicalId. + // +kubebuilder:validation:Optional + CanonicalIDRef *v1.Reference `json:"canonicalIdRef,omitempty" tf:"-"` + + // Selector for a Group in identity to populate canonicalId. + // +kubebuilder:validation:Optional + CanonicalIDSelector *v1.Selector `json:"canonicalIdSelector,omitempty" tf:"-"` + // Mount accessor of the authentication backend to which this alias belongs to. // Mount accessor to which this alias belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("accessor",true) // +kubebuilder:validation:Optional MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"` + // Reference to a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorRef *v1.Reference `json:"mountAccessorRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorSelector *v1.Selector `json:"mountAccessorSelector,omitempty" tf:"-"` + // Name of the group alias to create. // Name of the group alias. // +kubebuilder:validation:Optional @@ -90,9 +130,8 @@ type GroupAliasParameters struct { type GroupAliasSpec struct { v1.ResourceSpec `json:",inline"` ForProvider GroupAliasParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -111,20 +150,19 @@ type GroupAliasStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // GroupAlias is the Schema for the GroupAliass API. Creates an Identity Group Alias for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type GroupAlias struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.canonicalId) || has(self.initProvider.canonicalId)",message="canonicalId is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || has(self.initProvider.mountAccessor)",message="mountAccessor is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec GroupAliasSpec `json:"spec"` Status GroupAliasStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_groupmemberentityids_terraformed.go b/apis/identity/v1alpha1/zz_groupmemberentityids_terraformed.go new file mode 100755 index 00000000..9de0f710 --- /dev/null +++ b/apis/identity/v1alpha1/zz_groupmemberentityids_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this GroupMemberEntityIds +func (mg *GroupMemberEntityIds) GetTerraformResourceType() string { + return "vault_identity_group_member_entity_ids" +} + +// GetConnectionDetailsMapping for this GroupMemberEntityIds +func (tr *GroupMemberEntityIds) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this GroupMemberEntityIds +func (tr *GroupMemberEntityIds) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this GroupMemberEntityIds +func (tr *GroupMemberEntityIds) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this GroupMemberEntityIds +func (tr *GroupMemberEntityIds) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this GroupMemberEntityIds +func (tr *GroupMemberEntityIds) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this GroupMemberEntityIds +func (tr *GroupMemberEntityIds) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this GroupMemberEntityIds +func (tr *GroupMemberEntityIds) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this GroupMemberEntityIds +func (tr *GroupMemberEntityIds) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this GroupMemberEntityIds using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *GroupMemberEntityIds) LateInitialize(attrs []byte) (bool, error) { + params := &GroupMemberEntityIdsParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *GroupMemberEntityIds) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_groupmemberentityids_types.go b/apis/identity/v1alpha1/zz_groupmemberentityids_types.go index 188ae26a..70b791fa 100755 --- a/apis/identity/v1alpha1/zz_groupmemberentityids_types.go +++ b/apis/identity/v1alpha1/zz_groupmemberentityids_types.go @@ -22,10 +22,21 @@ type GroupMemberEntityIdsInitParameters struct { // Group ID to assign member entities to. // ID of the group. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.Group + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"` + // Reference to a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDRef *v1.Reference `json:"groupIdRef,omitempty" tf:"-"` + + // Selector for a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDSelector *v1.Selector `json:"groupIdSelector,omitempty" tf:"-"` + // List of member entities that belong to the group // Entity IDs to be assigned as group members. + // +listType=set MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"` // The namespace to provision the resource in. @@ -47,16 +58,11 @@ type GroupMemberEntityIdsObservation struct { // ID of the group. GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"` - // The name of the group that are assigned the member entities. - // Deprecated: The value for group_name may not always be accurate - // use data.vault_identity_group.*.group_name, or vault_identity_group.*.group_name instead. - // Name of the group. - GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"` - ID *string `json:"id,omitempty" tf:"id,omitempty"` // List of member entities that belong to the group // Entity IDs to be assigned as group members. + // +listType=set MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"` // The namespace to provision the resource in. @@ -77,12 +83,23 @@ type GroupMemberEntityIdsParameters struct { // Group ID to assign member entities to. // ID of the group. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.Group + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() // +kubebuilder:validation:Optional GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"` + // Reference to a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDRef *v1.Reference `json:"groupIdRef,omitempty" tf:"-"` + + // Selector for a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDSelector *v1.Selector `json:"groupIdSelector,omitempty" tf:"-"` + // List of member entities that belong to the group // Entity IDs to be assigned as group members. // +kubebuilder:validation:Optional + // +listType=set MemberEntityIds []*string `json:"memberEntityIds,omitempty" tf:"member_entity_ids,omitempty"` // The namespace to provision the resource in. @@ -98,9 +115,8 @@ type GroupMemberEntityIdsParameters struct { type GroupMemberEntityIdsSpec struct { v1.ResourceSpec `json:",inline"` ForProvider GroupMemberEntityIdsParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -119,20 +135,20 @@ type GroupMemberEntityIdsStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // GroupMemberEntityIds is the Schema for the GroupMemberEntityIdss API. Manages member entities for an Identity Group for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type GroupMemberEntityIds struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupId) || has(self.initProvider.groupId)",message="groupId is a required parameter" - Spec GroupMemberEntityIdsSpec `json:"spec"` - Status GroupMemberEntityIdsStatus `json:"status,omitempty"` + Spec GroupMemberEntityIdsSpec `json:"spec"` + Status GroupMemberEntityIdsStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/identity/v1alpha1/zz_groupmembergroupids_terraformed.go b/apis/identity/v1alpha1/zz_groupmembergroupids_terraformed.go new file mode 100755 index 00000000..3420b234 --- /dev/null +++ b/apis/identity/v1alpha1/zz_groupmembergroupids_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this GroupMemberGroupIds +func (mg *GroupMemberGroupIds) GetTerraformResourceType() string { + return "vault_identity_group_member_group_ids" +} + +// GetConnectionDetailsMapping for this GroupMemberGroupIds +func (tr *GroupMemberGroupIds) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this GroupMemberGroupIds +func (tr *GroupMemberGroupIds) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this GroupMemberGroupIds +func (tr *GroupMemberGroupIds) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this GroupMemberGroupIds +func (tr *GroupMemberGroupIds) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this GroupMemberGroupIds +func (tr *GroupMemberGroupIds) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this GroupMemberGroupIds +func (tr *GroupMemberGroupIds) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this GroupMemberGroupIds +func (tr *GroupMemberGroupIds) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this GroupMemberGroupIds +func (tr *GroupMemberGroupIds) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this GroupMemberGroupIds using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *GroupMemberGroupIds) LateInitialize(attrs []byte) (bool, error) { + params := &GroupMemberGroupIdsParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *GroupMemberGroupIds) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_groupmembergroupids_types.go b/apis/identity/v1alpha1/zz_groupmembergroupids_types.go index eab48f79..f6db9b7d 100755 --- a/apis/identity/v1alpha1/zz_groupmembergroupids_types.go +++ b/apis/identity/v1alpha1/zz_groupmembergroupids_types.go @@ -22,10 +22,21 @@ type GroupMemberGroupIdsInitParameters struct { // Group ID to assign member entities to. // ID of the group. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.Group + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"` + // Reference to a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDRef *v1.Reference `json:"groupIdRef,omitempty" tf:"-"` + + // Selector for a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDSelector *v1.Selector `json:"groupIdSelector,omitempty" tf:"-"` + // List of member groups that belong to the group // Group IDs to be assigned as group members. + // +listType=set MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"` // The namespace to provision the resource in. @@ -51,6 +62,7 @@ type GroupMemberGroupIdsObservation struct { // List of member groups that belong to the group // Group IDs to be assigned as group members. + // +listType=set MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"` // The namespace to provision the resource in. @@ -71,12 +83,23 @@ type GroupMemberGroupIdsParameters struct { // Group ID to assign member entities to. // ID of the group. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.Group + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() // +kubebuilder:validation:Optional GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"` + // Reference to a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDRef *v1.Reference `json:"groupIdRef,omitempty" tf:"-"` + + // Selector for a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDSelector *v1.Selector `json:"groupIdSelector,omitempty" tf:"-"` + // List of member groups that belong to the group // Group IDs to be assigned as group members. // +kubebuilder:validation:Optional + // +listType=set MemberGroupIds []*string `json:"memberGroupIds,omitempty" tf:"member_group_ids,omitempty"` // The namespace to provision the resource in. @@ -92,9 +115,8 @@ type GroupMemberGroupIdsParameters struct { type GroupMemberGroupIdsSpec struct { v1.ResourceSpec `json:",inline"` ForProvider GroupMemberGroupIdsParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -113,20 +135,20 @@ type GroupMemberGroupIdsStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // GroupMemberGroupIds is the Schema for the GroupMemberGroupIdss API. Manages member groups for an Identity Group for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type GroupMemberGroupIds struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupId) || has(self.initProvider.groupId)",message="groupId is a required parameter" - Spec GroupMemberGroupIdsSpec `json:"spec"` - Status GroupMemberGroupIdsStatus `json:"status,omitempty"` + Spec GroupMemberGroupIdsSpec `json:"spec"` + Status GroupMemberGroupIdsStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/identity/v1alpha1/zz_grouppolicies_terraformed.go b/apis/identity/v1alpha1/zz_grouppolicies_terraformed.go new file mode 100755 index 00000000..d60c6d6c --- /dev/null +++ b/apis/identity/v1alpha1/zz_grouppolicies_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this GroupPolicies +func (mg *GroupPolicies) GetTerraformResourceType() string { + return "vault_identity_group_policies" +} + +// GetConnectionDetailsMapping for this GroupPolicies +func (tr *GroupPolicies) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this GroupPolicies +func (tr *GroupPolicies) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this GroupPolicies +func (tr *GroupPolicies) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this GroupPolicies +func (tr *GroupPolicies) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this GroupPolicies +func (tr *GroupPolicies) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this GroupPolicies +func (tr *GroupPolicies) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this GroupPolicies +func (tr *GroupPolicies) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this GroupPolicies +func (tr *GroupPolicies) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this GroupPolicies using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *GroupPolicies) LateInitialize(attrs []byte) (bool, error) { + params := &GroupPoliciesParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *GroupPolicies) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_grouppolicies_types.go b/apis/identity/v1alpha1/zz_grouppolicies_types.go index b6912414..1eac24d9 100755 --- a/apis/identity/v1alpha1/zz_grouppolicies_types.go +++ b/apis/identity/v1alpha1/zz_grouppolicies_types.go @@ -21,8 +21,18 @@ type GroupPoliciesInitParameters struct { // Group ID to assign policies to. // ID of the group. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.Group + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"` + // Reference to a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDRef *v1.Reference `json:"groupIdRef,omitempty" tf:"-"` + + // Selector for a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDSelector *v1.Selector `json:"groupIdSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -32,6 +42,7 @@ type GroupPoliciesInitParameters struct { // List of policies to assign to the group // Policies to be tied to the group. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -60,6 +71,7 @@ type GroupPoliciesObservation struct { // List of policies to assign to the group // Policies to be tied to the group. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -72,9 +84,19 @@ type GroupPoliciesParameters struct { // Group ID to assign policies to. // ID of the group. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.Group + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractResourceID() // +kubebuilder:validation:Optional GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"` + // Reference to a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDRef *v1.Reference `json:"groupIdRef,omitempty" tf:"-"` + + // Selector for a Group in identity to populate groupId. + // +kubebuilder:validation:Optional + GroupIDSelector *v1.Selector `json:"groupIdSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -86,6 +108,7 @@ type GroupPoliciesParameters struct { // List of policies to assign to the group // Policies to be tied to the group. // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -93,9 +116,8 @@ type GroupPoliciesParameters struct { type GroupPoliciesSpec struct { v1.ResourceSpec `json:",inline"` ForProvider GroupPoliciesParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -114,19 +136,19 @@ type GroupPoliciesStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // GroupPolicies is the Schema for the GroupPoliciess API. Manages policies for an Identity Group for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type GroupPolicies struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupId) || has(self.initProvider.groupId)",message="groupId is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policies) || has(self.initProvider.policies)",message="policies is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policies) || (has(self.initProvider) && has(self.initProvider.policies))",message="spec.forProvider.policies is a required parameter" Spec GroupPoliciesSpec `json:"spec"` Status GroupPoliciesStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_mfaduo_terraformed.go b/apis/identity/v1alpha1/zz_mfaduo_terraformed.go new file mode 100755 index 00000000..f4c05ca0 --- /dev/null +++ b/apis/identity/v1alpha1/zz_mfaduo_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this MfaDuo +func (mg *MfaDuo) GetTerraformResourceType() string { + return "vault_identity_mfa_duo" +} + +// GetConnectionDetailsMapping for this MfaDuo +func (tr *MfaDuo) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"integration_key": "integrationKeySecretRef", "secret_key": "secretKeySecretRef"} +} + +// GetObservation of this MfaDuo +func (tr *MfaDuo) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this MfaDuo +func (tr *MfaDuo) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this MfaDuo +func (tr *MfaDuo) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this MfaDuo +func (tr *MfaDuo) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this MfaDuo +func (tr *MfaDuo) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this MfaDuo +func (tr *MfaDuo) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this MfaDuo +func (tr *MfaDuo) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this MfaDuo using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *MfaDuo) LateInitialize(attrs []byte) (bool, error) { + params := &MfaDuoParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *MfaDuo) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_mfaduo_types.go b/apis/identity/v1alpha1/zz_mfaduo_types.go index 5f57b9f9..0865b28a 100755 --- a/apis/identity/v1alpha1/zz_mfaduo_types.go +++ b/apis/identity/v1alpha1/zz_mfaduo_types.go @@ -19,6 +19,10 @@ type MfaDuoInitParameters struct { // API hostname for Duo APIHostname *string `json:"apiHostname,omitempty" tf:"api_hostname,omitempty"` + // Integration key for Duo + // Integration key for Duo + IntegrationKeySecretRef v1.SecretKeySelector `json:"integrationKeySecretRef" tf:"-"` + // Target namespace. (requires Enterprise) // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` @@ -27,6 +31,10 @@ type MfaDuoInitParameters struct { // Push information for Duo. PushInfo *string `json:"pushInfo,omitempty" tf:"push_info,omitempty"` + // Secret key for Duo + // Secret key for Duo + SecretKeySecretRef v1.SecretKeySelector `json:"secretKeySecretRef" tf:"-"` + // Require passcode upon MFA validation. // Require passcode upon MFA validation. UsePasscode *bool `json:"usePasscode,omitempty" tf:"use_passcode,omitempty"` @@ -130,9 +138,8 @@ type MfaDuoParameters struct { type MfaDuoSpec struct { v1.ResourceSpec `json:",inline"` ForProvider MfaDuoParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -151,20 +158,21 @@ type MfaDuoStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // MfaDuo is the Schema for the MfaDuos API. Resource for configuring the duo MFA method. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type MfaDuo struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiHostname) || has(self.initProvider.apiHostname)",message="apiHostname is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.integrationKeySecretRef)",message="integrationKeySecretRef is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.secretKeySecretRef)",message="secretKeySecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiHostname) || (has(self.initProvider) && has(self.initProvider.apiHostname))",message="spec.forProvider.apiHostname is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.integrationKeySecretRef)",message="spec.forProvider.integrationKeySecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.secretKeySecretRef)",message="spec.forProvider.secretKeySecretRef is a required parameter" Spec MfaDuoSpec `json:"spec"` Status MfaDuoStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_mfaloginenforcement_terraformed.go b/apis/identity/v1alpha1/zz_mfaloginenforcement_terraformed.go new file mode 100755 index 00000000..e1295525 --- /dev/null +++ b/apis/identity/v1alpha1/zz_mfaloginenforcement_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this MfaLoginEnforcement +func (mg *MfaLoginEnforcement) GetTerraformResourceType() string { + return "vault_identity_mfa_login_enforcement" +} + +// GetConnectionDetailsMapping for this MfaLoginEnforcement +func (tr *MfaLoginEnforcement) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this MfaLoginEnforcement +func (tr *MfaLoginEnforcement) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this MfaLoginEnforcement +func (tr *MfaLoginEnforcement) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this MfaLoginEnforcement +func (tr *MfaLoginEnforcement) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this MfaLoginEnforcement +func (tr *MfaLoginEnforcement) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this MfaLoginEnforcement +func (tr *MfaLoginEnforcement) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this MfaLoginEnforcement +func (tr *MfaLoginEnforcement) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this MfaLoginEnforcement +func (tr *MfaLoginEnforcement) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this MfaLoginEnforcement using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *MfaLoginEnforcement) LateInitialize(attrs []byte) (bool, error) { + params := &MfaLoginEnforcementParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *MfaLoginEnforcement) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_mfaloginenforcement_types.go b/apis/identity/v1alpha1/zz_mfaloginenforcement_types.go index 60b90152..9fca142d 100755 --- a/apis/identity/v1alpha1/zz_mfaloginenforcement_types.go +++ b/apis/identity/v1alpha1/zz_mfaloginenforcement_types.go @@ -17,22 +17,27 @@ type MfaLoginEnforcementInitParameters struct { // Set of auth method accessor IDs. // Set of auth method accessor IDs. + // +listType=set AuthMethodAccessors []*string `json:"authMethodAccessors,omitempty" tf:"auth_method_accessors,omitempty"` // Set of auth method types. // Set of auth method types. + // +listType=set AuthMethodTypes []*string `json:"authMethodTypes,omitempty" tf:"auth_method_types,omitempty"` // Set of identity entity IDs. // Set of identity entity IDs. + // +listType=set IdentityEntityIds []*string `json:"identityEntityIds,omitempty" tf:"identity_entity_ids,omitempty"` // Set of identity group IDs. // Set of identity group IDs. + // +listType=set IdentityGroupIds []*string `json:"identityGroupIds,omitempty" tf:"identity_group_ids,omitempty"` // Set of MFA method UUIDs. // Set of MFA method UUIDs. + // +listType=set MfaMethodIds []*string `json:"mfaMethodIds,omitempty" tf:"mfa_method_ids,omitempty"` // Login enforcement name. @@ -48,24 +53,29 @@ type MfaLoginEnforcementObservation struct { // Set of auth method accessor IDs. // Set of auth method accessor IDs. + // +listType=set AuthMethodAccessors []*string `json:"authMethodAccessors,omitempty" tf:"auth_method_accessors,omitempty"` // Set of auth method types. // Set of auth method types. + // +listType=set AuthMethodTypes []*string `json:"authMethodTypes,omitempty" tf:"auth_method_types,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` // Set of identity entity IDs. // Set of identity entity IDs. + // +listType=set IdentityEntityIds []*string `json:"identityEntityIds,omitempty" tf:"identity_entity_ids,omitempty"` // Set of identity group IDs. // Set of identity group IDs. + // +listType=set IdentityGroupIds []*string `json:"identityGroupIds,omitempty" tf:"identity_group_ids,omitempty"` // Set of MFA method UUIDs. // Set of MFA method UUIDs. + // +listType=set MfaMethodIds []*string `json:"mfaMethodIds,omitempty" tf:"mfa_method_ids,omitempty"` // Login enforcement name. @@ -94,26 +104,31 @@ type MfaLoginEnforcementParameters struct { // Set of auth method accessor IDs. // Set of auth method accessor IDs. // +kubebuilder:validation:Optional + // +listType=set AuthMethodAccessors []*string `json:"authMethodAccessors,omitempty" tf:"auth_method_accessors,omitempty"` // Set of auth method types. // Set of auth method types. // +kubebuilder:validation:Optional + // +listType=set AuthMethodTypes []*string `json:"authMethodTypes,omitempty" tf:"auth_method_types,omitempty"` // Set of identity entity IDs. // Set of identity entity IDs. // +kubebuilder:validation:Optional + // +listType=set IdentityEntityIds []*string `json:"identityEntityIds,omitempty" tf:"identity_entity_ids,omitempty"` // Set of identity group IDs. // Set of identity group IDs. // +kubebuilder:validation:Optional + // +listType=set IdentityGroupIds []*string `json:"identityGroupIds,omitempty" tf:"identity_group_ids,omitempty"` // Set of MFA method UUIDs. // Set of MFA method UUIDs. // +kubebuilder:validation:Optional + // +listType=set MfaMethodIds []*string `json:"mfaMethodIds,omitempty" tf:"mfa_method_ids,omitempty"` // Login enforcement name. @@ -131,9 +146,8 @@ type MfaLoginEnforcementParameters struct { type MfaLoginEnforcementSpec struct { v1.ResourceSpec `json:",inline"` ForProvider MfaLoginEnforcementParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -152,19 +166,20 @@ type MfaLoginEnforcementStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // MfaLoginEnforcement is the Schema for the MfaLoginEnforcements API. Resource for configuring MFA login-enforcement -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type MfaLoginEnforcement struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mfaMethodIds) || has(self.initProvider.mfaMethodIds)",message="mfaMethodIds is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mfaMethodIds) || (has(self.initProvider) && has(self.initProvider.mfaMethodIds))",message="spec.forProvider.mfaMethodIds is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec MfaLoginEnforcementSpec `json:"spec"` Status MfaLoginEnforcementStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_mfaokta_terraformed.go b/apis/identity/v1alpha1/zz_mfaokta_terraformed.go new file mode 100755 index 00000000..b3cc00b4 --- /dev/null +++ b/apis/identity/v1alpha1/zz_mfaokta_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this MfaOkta +func (mg *MfaOkta) GetTerraformResourceType() string { + return "vault_identity_mfa_okta" +} + +// GetConnectionDetailsMapping for this MfaOkta +func (tr *MfaOkta) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"api_token": "apiTokenSecretRef"} +} + +// GetObservation of this MfaOkta +func (tr *MfaOkta) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this MfaOkta +func (tr *MfaOkta) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this MfaOkta +func (tr *MfaOkta) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this MfaOkta +func (tr *MfaOkta) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this MfaOkta +func (tr *MfaOkta) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this MfaOkta +func (tr *MfaOkta) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this MfaOkta +func (tr *MfaOkta) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this MfaOkta using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *MfaOkta) LateInitialize(attrs []byte) (bool, error) { + params := &MfaOktaParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *MfaOkta) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_mfaokta_types.go b/apis/identity/v1alpha1/zz_mfaokta_types.go index 227205e6..0087af6b 100755 --- a/apis/identity/v1alpha1/zz_mfaokta_types.go +++ b/apis/identity/v1alpha1/zz_mfaokta_types.go @@ -15,6 +15,10 @@ import ( type MfaOktaInitParameters struct { + // Okta API token. + // Okta API token. + APITokenSecretRef v1.SecretKeySelector `json:"apiTokenSecretRef" tf:"-"` + // The base domain to use for API requests. // The base domain to use for API requests. BaseURL *string `json:"baseUrl,omitempty" tf:"base_url,omitempty"` @@ -125,9 +129,8 @@ type MfaOktaParameters struct { type MfaOktaSpec struct { v1.ResourceSpec `json:",inline"` ForProvider MfaOktaParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -146,19 +149,20 @@ type MfaOktaStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // MfaOkta is the Schema for the MfaOktas API. Resource for configuring the okta MFA method. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type MfaOkta struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiTokenSecretRef)",message="apiTokenSecretRef is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.orgName) || has(self.initProvider.orgName)",message="orgName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiTokenSecretRef)",message="spec.forProvider.apiTokenSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.orgName) || (has(self.initProvider) && has(self.initProvider.orgName))",message="spec.forProvider.orgName is a required parameter" Spec MfaOktaSpec `json:"spec"` Status MfaOktaStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_mfapingid_terraformed.go b/apis/identity/v1alpha1/zz_mfapingid_terraformed.go new file mode 100755 index 00000000..b328021b --- /dev/null +++ b/apis/identity/v1alpha1/zz_mfapingid_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this MfaPingid +func (mg *MfaPingid) GetTerraformResourceType() string { + return "vault_identity_mfa_pingid" +} + +// GetConnectionDetailsMapping for this MfaPingid +func (tr *MfaPingid) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this MfaPingid +func (tr *MfaPingid) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this MfaPingid +func (tr *MfaPingid) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this MfaPingid +func (tr *MfaPingid) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this MfaPingid +func (tr *MfaPingid) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this MfaPingid +func (tr *MfaPingid) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this MfaPingid +func (tr *MfaPingid) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this MfaPingid +func (tr *MfaPingid) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this MfaPingid using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *MfaPingid) LateInitialize(attrs []byte) (bool, error) { + params := &MfaPingidParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *MfaPingid) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_mfapingid_types.go b/apis/identity/v1alpha1/zz_mfapingid_types.go index 70b25c82..7d8f8a03 100755 --- a/apis/identity/v1alpha1/zz_mfapingid_types.go +++ b/apis/identity/v1alpha1/zz_mfapingid_types.go @@ -114,9 +114,8 @@ type MfaPingidParameters struct { type MfaPingidSpec struct { v1.ResourceSpec `json:",inline"` ForProvider MfaPingidParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -135,18 +134,19 @@ type MfaPingidStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // MfaPingid is the Schema for the MfaPingids API. Resource for configuring the pingid MFA method. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type MfaPingid struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.settingsFileBase64) || has(self.initProvider.settingsFileBase64)",message="settingsFileBase64 is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.settingsFileBase64) || (has(self.initProvider) && has(self.initProvider.settingsFileBase64))",message="spec.forProvider.settingsFileBase64 is a required parameter" Spec MfaPingidSpec `json:"spec"` Status MfaPingidStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_mfatotp_terraformed.go b/apis/identity/v1alpha1/zz_mfatotp_terraformed.go new file mode 100755 index 00000000..5853ead9 --- /dev/null +++ b/apis/identity/v1alpha1/zz_mfatotp_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this MfaTotp +func (mg *MfaTotp) GetTerraformResourceType() string { + return "vault_identity_mfa_totp" +} + +// GetConnectionDetailsMapping for this MfaTotp +func (tr *MfaTotp) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this MfaTotp +func (tr *MfaTotp) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this MfaTotp +func (tr *MfaTotp) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this MfaTotp +func (tr *MfaTotp) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this MfaTotp +func (tr *MfaTotp) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this MfaTotp +func (tr *MfaTotp) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this MfaTotp +func (tr *MfaTotp) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this MfaTotp +func (tr *MfaTotp) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this MfaTotp using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *MfaTotp) LateInitialize(attrs []byte) (bool, error) { + params := &MfaTotpParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *MfaTotp) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_mfatotp_types.go b/apis/identity/v1alpha1/zz_mfatotp_types.go index 07669935..92bee422 100755 --- a/apis/identity/v1alpha1/zz_mfatotp_types.go +++ b/apis/identity/v1alpha1/zz_mfatotp_types.go @@ -172,9 +172,8 @@ type MfaTotpParameters struct { type MfaTotpSpec struct { v1.ResourceSpec `json:",inline"` ForProvider MfaTotpParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -193,18 +192,19 @@ type MfaTotpStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // MfaTotp is the Schema for the MfaTotps API. Resource for configuring the totp MFA method. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type MfaTotp struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.issuer) || has(self.initProvider.issuer)",message="issuer is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.issuer) || (has(self.initProvider) && has(self.initProvider.issuer))",message="spec.forProvider.issuer is a required parameter" Spec MfaTotpSpec `json:"spec"` Status MfaTotpStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_oidc_terraformed.go b/apis/identity/v1alpha1/zz_oidc_terraformed.go new file mode 100755 index 00000000..514086f7 --- /dev/null +++ b/apis/identity/v1alpha1/zz_oidc_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Oidc +func (mg *Oidc) GetTerraformResourceType() string { + return "vault_identity_oidc" +} + +// GetConnectionDetailsMapping for this Oidc +func (tr *Oidc) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Oidc +func (tr *Oidc) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Oidc +func (tr *Oidc) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Oidc +func (tr *Oidc) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Oidc +func (tr *Oidc) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Oidc +func (tr *Oidc) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Oidc +func (tr *Oidc) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Oidc +func (tr *Oidc) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Oidc using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Oidc) LateInitialize(attrs []byte) (bool, error) { + params := &OidcParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Oidc) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_oidc_types.go b/apis/identity/v1alpha1/zz_oidc_types.go index 3eb759e4..4e976392 100755 --- a/apis/identity/v1alpha1/zz_oidc_types.go +++ b/apis/identity/v1alpha1/zz_oidc_types.go @@ -71,9 +71,8 @@ type OidcParameters struct { type OidcSpec struct { v1.ResourceSpec `json:",inline"` ForProvider OidcParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -92,13 +91,14 @@ type OidcStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Oidc is the Schema for the Oidcs API. Configure the Identity Tokens Backend for Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Oidc struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/identity/v1alpha1/zz_oidcassignment_terraformed.go b/apis/identity/v1alpha1/zz_oidcassignment_terraformed.go new file mode 100755 index 00000000..59354ad8 --- /dev/null +++ b/apis/identity/v1alpha1/zz_oidcassignment_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this OidcAssignment +func (mg *OidcAssignment) GetTerraformResourceType() string { + return "vault_identity_oidc_assignment" +} + +// GetConnectionDetailsMapping for this OidcAssignment +func (tr *OidcAssignment) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this OidcAssignment +func (tr *OidcAssignment) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this OidcAssignment +func (tr *OidcAssignment) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this OidcAssignment +func (tr *OidcAssignment) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this OidcAssignment +func (tr *OidcAssignment) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this OidcAssignment +func (tr *OidcAssignment) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this OidcAssignment +func (tr *OidcAssignment) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this OidcAssignment +func (tr *OidcAssignment) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this OidcAssignment using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *OidcAssignment) LateInitialize(attrs []byte) (bool, error) { + params := &OidcAssignmentParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *OidcAssignment) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_oidcassignment_types.go b/apis/identity/v1alpha1/zz_oidcassignment_types.go index 8b8c37b0..e5e3bf6f 100755 --- a/apis/identity/v1alpha1/zz_oidcassignment_types.go +++ b/apis/identity/v1alpha1/zz_oidcassignment_types.go @@ -17,10 +17,12 @@ type OidcAssignmentInitParameters struct { // A set of Vault entity IDs. // A list of Vault entity IDs. + // +listType=set EntityIds []*string `json:"entityIds,omitempty" tf:"entity_ids,omitempty"` // A set of Vault group IDs. // A list of Vault group IDs. + // +listType=set GroupIds []*string `json:"groupIds,omitempty" tf:"group_ids,omitempty"` // The name of the assignment. @@ -39,10 +41,12 @@ type OidcAssignmentObservation struct { // A set of Vault entity IDs. // A list of Vault entity IDs. + // +listType=set EntityIds []*string `json:"entityIds,omitempty" tf:"entity_ids,omitempty"` // A set of Vault group IDs. // A list of Vault group IDs. + // +listType=set GroupIds []*string `json:"groupIds,omitempty" tf:"group_ids,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -64,11 +68,13 @@ type OidcAssignmentParameters struct { // A set of Vault entity IDs. // A list of Vault entity IDs. // +kubebuilder:validation:Optional + // +listType=set EntityIds []*string `json:"entityIds,omitempty" tf:"entity_ids,omitempty"` // A set of Vault group IDs. // A list of Vault group IDs. // +kubebuilder:validation:Optional + // +listType=set GroupIds []*string `json:"groupIds,omitempty" tf:"group_ids,omitempty"` // The name of the assignment. @@ -89,9 +95,8 @@ type OidcAssignmentParameters struct { type OidcAssignmentSpec struct { v1.ResourceSpec `json:",inline"` ForProvider OidcAssignmentParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -110,18 +115,19 @@ type OidcAssignmentStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // OidcAssignment is the Schema for the OidcAssignments API. Provision OIDC Assignments in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type OidcAssignment struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec OidcAssignmentSpec `json:"spec"` Status OidcAssignmentStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_oidcclient_terraformed.go b/apis/identity/v1alpha1/zz_oidcclient_terraformed.go new file mode 100755 index 00000000..fa62b07d --- /dev/null +++ b/apis/identity/v1alpha1/zz_oidcclient_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this OidcClient +func (mg *OidcClient) GetTerraformResourceType() string { + return "vault_identity_oidc_client" +} + +// GetConnectionDetailsMapping for this OidcClient +func (tr *OidcClient) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"client_secret": "status.atProvider.clientSecret"} +} + +// GetObservation of this OidcClient +func (tr *OidcClient) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this OidcClient +func (tr *OidcClient) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this OidcClient +func (tr *OidcClient) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this OidcClient +func (tr *OidcClient) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this OidcClient +func (tr *OidcClient) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this OidcClient +func (tr *OidcClient) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this OidcClient +func (tr *OidcClient) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this OidcClient using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *OidcClient) LateInitialize(attrs []byte) (bool, error) { + params := &OidcClientParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *OidcClient) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_oidcclient_types.go b/apis/identity/v1alpha1/zz_oidcclient_types.go index f98a314c..38aaea97 100755 --- a/apis/identity/v1alpha1/zz_oidcclient_types.go +++ b/apis/identity/v1alpha1/zz_oidcclient_types.go @@ -21,6 +21,7 @@ type OidcClientInitParameters struct { // A list of assignment resources associated with the client. // A list of assignment resources associated with the client. + // +listType=set Assignments []*string `json:"assignments,omitempty" tf:"assignments,omitempty"` // The client type based on its ability to maintain confidentiality of credentials. @@ -54,6 +55,7 @@ type OidcClientInitParameters struct { // One of these values must exactly match the redirect_uri parameter value // used in each authentication request. // Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. + // +listType=set RedirectUris []*string `json:"redirectUris,omitempty" tf:"redirect_uris,omitempty"` } @@ -65,8 +67,10 @@ type OidcClientObservation struct { // A list of assignment resources associated with the client. // A list of assignment resources associated with the client. + // +listType=set Assignments []*string `json:"assignments,omitempty" tf:"assignments,omitempty"` + // The Client ID returned by Vault. // The Client ID from Vault. ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"` @@ -103,6 +107,7 @@ type OidcClientObservation struct { // One of these values must exactly match the redirect_uri parameter value // used in each authentication request. // Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. + // +listType=set RedirectUris []*string `json:"redirectUris,omitempty" tf:"redirect_uris,omitempty"` } @@ -116,6 +121,7 @@ type OidcClientParameters struct { // A list of assignment resources associated with the client. // A list of assignment resources associated with the client. // +kubebuilder:validation:Optional + // +listType=set Assignments []*string `json:"assignments,omitempty" tf:"assignments,omitempty"` // The client type based on its ability to maintain confidentiality of credentials. @@ -155,6 +161,7 @@ type OidcClientParameters struct { // used in each authentication request. // Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. // +kubebuilder:validation:Optional + // +listType=set RedirectUris []*string `json:"redirectUris,omitempty" tf:"redirect_uris,omitempty"` } @@ -162,9 +169,8 @@ type OidcClientParameters struct { type OidcClientSpec struct { v1.ResourceSpec `json:",inline"` ForProvider OidcClientParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -183,18 +189,19 @@ type OidcClientStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // OidcClient is the Schema for the OidcClients API. Provision OIDC Clients in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type OidcClient struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec OidcClientSpec `json:"spec"` Status OidcClientStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_oidckey_terraformed.go b/apis/identity/v1alpha1/zz_oidckey_terraformed.go new file mode 100755 index 00000000..4369086e --- /dev/null +++ b/apis/identity/v1alpha1/zz_oidckey_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this OidcKey +func (mg *OidcKey) GetTerraformResourceType() string { + return "vault_identity_oidc_key" +} + +// GetConnectionDetailsMapping for this OidcKey +func (tr *OidcKey) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this OidcKey +func (tr *OidcKey) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this OidcKey +func (tr *OidcKey) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this OidcKey +func (tr *OidcKey) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this OidcKey +func (tr *OidcKey) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this OidcKey +func (tr *OidcKey) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this OidcKey +func (tr *OidcKey) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this OidcKey +func (tr *OidcKey) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this OidcKey using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *OidcKey) LateInitialize(attrs []byte) (bool, error) { + params := &OidcKeyParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *OidcKey) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_oidckey_types.go b/apis/identity/v1alpha1/zz_oidckey_types.go index 03c0ddb9..30d1d782 100755 --- a/apis/identity/v1alpha1/zz_oidckey_types.go +++ b/apis/identity/v1alpha1/zz_oidckey_types.go @@ -23,6 +23,7 @@ type OidcKeyInitParameters struct { // : Array of role client ID allowed to use this key for signing. If // empty, no roles are allowed. If ["*"], all roles are allowed. // Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed. + // +listType=set AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"` // Name of the OIDC Key to create. @@ -56,6 +57,7 @@ type OidcKeyObservation struct { // : Array of role client ID allowed to use this key for signing. If // empty, no roles are allowed. If ["*"], all roles are allowed. // Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed. + // +listType=set AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"` // The name of the created key. @@ -94,6 +96,7 @@ type OidcKeyParameters struct { // empty, no roles are allowed. If ["*"], all roles are allowed. // Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed. // +kubebuilder:validation:Optional + // +listType=set AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"` // Name of the OIDC Key to create. @@ -125,9 +128,8 @@ type OidcKeyParameters struct { type OidcKeySpec struct { v1.ResourceSpec `json:",inline"` ForProvider OidcKeyParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -146,18 +148,19 @@ type OidcKeyStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // OidcKey is the Schema for the OidcKeys API. Creates an Identity OIDC Named Key for Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type OidcKey struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec OidcKeySpec `json:"spec"` Status OidcKeyStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_oidckeyallowedclientid_terraformed.go b/apis/identity/v1alpha1/zz_oidckeyallowedclientid_terraformed.go new file mode 100755 index 00000000..1bd6395b --- /dev/null +++ b/apis/identity/v1alpha1/zz_oidckeyallowedclientid_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this OidcKeyAllowedClientID +func (mg *OidcKeyAllowedClientID) GetTerraformResourceType() string { + return "vault_identity_oidc_key_allowed_client_id" +} + +// GetConnectionDetailsMapping for this OidcKeyAllowedClientID +func (tr *OidcKeyAllowedClientID) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this OidcKeyAllowedClientID +func (tr *OidcKeyAllowedClientID) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this OidcKeyAllowedClientID +func (tr *OidcKeyAllowedClientID) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this OidcKeyAllowedClientID +func (tr *OidcKeyAllowedClientID) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this OidcKeyAllowedClientID +func (tr *OidcKeyAllowedClientID) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this OidcKeyAllowedClientID +func (tr *OidcKeyAllowedClientID) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this OidcKeyAllowedClientID +func (tr *OidcKeyAllowedClientID) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this OidcKeyAllowedClientID +func (tr *OidcKeyAllowedClientID) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this OidcKeyAllowedClientID using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *OidcKeyAllowedClientID) LateInitialize(attrs []byte) (bool, error) { + params := &OidcKeyAllowedClientIDParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *OidcKeyAllowedClientID) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_oidckeyallowedclientid_types.go b/apis/identity/v1alpha1/zz_oidckeyallowedclientid_types.go index bdf27e14..e5fb20d8 100755 --- a/apis/identity/v1alpha1/zz_oidckeyallowedclientid_types.go +++ b/apis/identity/v1alpha1/zz_oidckeyallowedclientid_types.go @@ -17,12 +17,32 @@ type OidcKeyAllowedClientIDInitParameters struct { // Client ID to allow usage with the OIDC named key // Role Client ID allowed to use the key for signing. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.OidcRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("client_id",false) AllowedClientID *string `json:"allowedClientId,omitempty" tf:"allowed_client_id,omitempty"` + // Reference to a OidcRole in identity to populate allowedClientId. + // +kubebuilder:validation:Optional + AllowedClientIDRef *v1.Reference `json:"allowedClientIdRef,omitempty" tf:"-"` + + // Selector for a OidcRole in identity to populate allowedClientId. + // +kubebuilder:validation:Optional + AllowedClientIDSelector *v1.Selector `json:"allowedClientIdSelector,omitempty" tf:"-"` + // Name of the OIDC Key allow the Client ID. // Name of the key. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.OidcKey + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"` + // Reference to a OidcKey in identity to populate keyName. + // +kubebuilder:validation:Optional + KeyNameRef *v1.Reference `json:"keyNameRef,omitempty" tf:"-"` + + // Selector for a OidcKey in identity to populate keyName. + // +kubebuilder:validation:Optional + KeyNameSelector *v1.Selector `json:"keyNameSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -55,14 +75,34 @@ type OidcKeyAllowedClientIDParameters struct { // Client ID to allow usage with the OIDC named key // Role Client ID allowed to use the key for signing. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.OidcRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("client_id",false) // +kubebuilder:validation:Optional AllowedClientID *string `json:"allowedClientId,omitempty" tf:"allowed_client_id,omitempty"` + // Reference to a OidcRole in identity to populate allowedClientId. + // +kubebuilder:validation:Optional + AllowedClientIDRef *v1.Reference `json:"allowedClientIdRef,omitempty" tf:"-"` + + // Selector for a OidcRole in identity to populate allowedClientId. + // +kubebuilder:validation:Optional + AllowedClientIDSelector *v1.Selector `json:"allowedClientIdSelector,omitempty" tf:"-"` + // Name of the OIDC Key allow the Client ID. // Name of the key. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.OidcKey + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) // +kubebuilder:validation:Optional KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"` + // Reference to a OidcKey in identity to populate keyName. + // +kubebuilder:validation:Optional + KeyNameRef *v1.Reference `json:"keyNameRef,omitempty" tf:"-"` + + // Selector for a OidcKey in identity to populate keyName. + // +kubebuilder:validation:Optional + KeyNameSelector *v1.Selector `json:"keyNameSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -76,9 +116,8 @@ type OidcKeyAllowedClientIDParameters struct { type OidcKeyAllowedClientIDSpec struct { v1.ResourceSpec `json:",inline"` ForProvider OidcKeyAllowedClientIDParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -97,21 +136,20 @@ type OidcKeyAllowedClientIDStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // OidcKeyAllowedClientID is the Schema for the OidcKeyAllowedClientIDs API. Allows an Identity OIDC Role to use an OIDC Named key. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type OidcKeyAllowedClientID struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.allowedClientId) || has(self.initProvider.allowedClientId)",message="allowedClientId is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.keyName) || has(self.initProvider.keyName)",message="keyName is a required parameter" - Spec OidcKeyAllowedClientIDSpec `json:"spec"` - Status OidcKeyAllowedClientIDStatus `json:"status,omitempty"` + Spec OidcKeyAllowedClientIDSpec `json:"spec"` + Status OidcKeyAllowedClientIDStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/identity/v1alpha1/zz_oidcprovider_terraformed.go b/apis/identity/v1alpha1/zz_oidcprovider_terraformed.go new file mode 100755 index 00000000..552c0549 --- /dev/null +++ b/apis/identity/v1alpha1/zz_oidcprovider_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this OidcProvider +func (mg *OidcProvider) GetTerraformResourceType() string { + return "vault_identity_oidc_provider" +} + +// GetConnectionDetailsMapping for this OidcProvider +func (tr *OidcProvider) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this OidcProvider +func (tr *OidcProvider) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this OidcProvider +func (tr *OidcProvider) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this OidcProvider +func (tr *OidcProvider) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this OidcProvider +func (tr *OidcProvider) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this OidcProvider +func (tr *OidcProvider) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this OidcProvider +func (tr *OidcProvider) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this OidcProvider +func (tr *OidcProvider) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this OidcProvider using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *OidcProvider) LateInitialize(attrs []byte) (bool, error) { + params := &OidcProviderParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *OidcProvider) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_oidcprovider_types.go b/apis/identity/v1alpha1/zz_oidcprovider_types.go index 394da667..6c9db569 100755 --- a/apis/identity/v1alpha1/zz_oidcprovider_types.go +++ b/apis/identity/v1alpha1/zz_oidcprovider_types.go @@ -18,6 +18,7 @@ type OidcProviderInitParameters struct { // The client IDs that are permitted to use the provider. // If empty, no clients are allowed. If *, all clients are allowed. // The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed. + // +listType=set AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"` // Set to true if the issuer endpoint uses HTTPS. @@ -41,6 +42,7 @@ type OidcProviderInitParameters struct { // The scopes available for requesting on the provider. // The scopes available for requesting on the provider. + // +listType=set ScopesSupported []*string `json:"scopesSupported,omitempty" tf:"scopes_supported,omitempty"` } @@ -49,6 +51,7 @@ type OidcProviderObservation struct { // The client IDs that are permitted to use the provider. // If empty, no clients are allowed. If *, all clients are allowed. // The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed. + // +listType=set AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"` // Set to true if the issuer endpoint uses HTTPS. @@ -80,6 +83,7 @@ type OidcProviderObservation struct { // The scopes available for requesting on the provider. // The scopes available for requesting on the provider. + // +listType=set ScopesSupported []*string `json:"scopesSupported,omitempty" tf:"scopes_supported,omitempty"` } @@ -89,6 +93,7 @@ type OidcProviderParameters struct { // If empty, no clients are allowed. If *, all clients are allowed. // The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed. // +kubebuilder:validation:Optional + // +listType=set AllowedClientIds []*string `json:"allowedClientIds,omitempty" tf:"allowed_client_ids,omitempty"` // Set to true if the issuer endpoint uses HTTPS. @@ -117,6 +122,7 @@ type OidcProviderParameters struct { // The scopes available for requesting on the provider. // The scopes available for requesting on the provider. // +kubebuilder:validation:Optional + // +listType=set ScopesSupported []*string `json:"scopesSupported,omitempty" tf:"scopes_supported,omitempty"` } @@ -124,9 +130,8 @@ type OidcProviderParameters struct { type OidcProviderSpec struct { v1.ResourceSpec `json:",inline"` ForProvider OidcProviderParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -145,18 +150,19 @@ type OidcProviderStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // OidcProvider is the Schema for the OidcProviders API. Provision OIDC Providers in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type OidcProvider struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec OidcProviderSpec `json:"spec"` Status OidcProviderStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_oidcrole_terraformed.go b/apis/identity/v1alpha1/zz_oidcrole_terraformed.go new file mode 100755 index 00000000..bf4a322d --- /dev/null +++ b/apis/identity/v1alpha1/zz_oidcrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this OidcRole +func (mg *OidcRole) GetTerraformResourceType() string { + return "vault_identity_oidc_role" +} + +// GetConnectionDetailsMapping for this OidcRole +func (tr *OidcRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this OidcRole +func (tr *OidcRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this OidcRole +func (tr *OidcRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this OidcRole +func (tr *OidcRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this OidcRole +func (tr *OidcRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this OidcRole +func (tr *OidcRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this OidcRole +func (tr *OidcRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this OidcRole +func (tr *OidcRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this OidcRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *OidcRole) LateInitialize(attrs []byte) (bool, error) { + params := &OidcRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *OidcRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_oidcrole_types.go b/apis/identity/v1alpha1/zz_oidcrole_types.go index 7d6858d5..9698a2c5 100755 --- a/apis/identity/v1alpha1/zz_oidcrole_types.go +++ b/apis/identity/v1alpha1/zz_oidcrole_types.go @@ -23,8 +23,18 @@ type OidcRoleInitParameters struct { // A configured named key, the key must already exist // before tokens can be issued. // A configured named key, the key must already exist. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.OidcKey + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) Key *string `json:"key,omitempty" tf:"key,omitempty"` + // Reference to a OidcKey in identity to populate key. + // +kubebuilder:validation:Optional + KeyRef *v1.Reference `json:"keyRef,omitempty" tf:"-"` + + // Selector for a OidcKey in identity to populate key. + // +kubebuilder:validation:Optional + KeySelector *v1.Selector `json:"keySelector,omitempty" tf:"-"` + // Name of the OIDC Role to create. // Name of the role. Name *string `json:"name,omitempty" tf:"name,omitempty"` @@ -97,9 +107,19 @@ type OidcRoleParameters struct { // A configured named key, the key must already exist // before tokens can be issued. // A configured named key, the key must already exist. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/identity/v1alpha1.OidcKey + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) // +kubebuilder:validation:Optional Key *string `json:"key,omitempty" tf:"key,omitempty"` + // Reference to a OidcKey in identity to populate key. + // +kubebuilder:validation:Optional + KeyRef *v1.Reference `json:"keyRef,omitempty" tf:"-"` + + // Selector for a OidcKey in identity to populate key. + // +kubebuilder:validation:Optional + KeySelector *v1.Selector `json:"keySelector,omitempty" tf:"-"` + // Name of the OIDC Role to create. // Name of the role. // +kubebuilder:validation:Optional @@ -131,9 +151,8 @@ type OidcRoleParameters struct { type OidcRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider OidcRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -152,19 +171,19 @@ type OidcRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // OidcRole is the Schema for the OidcRoles API. Creates an Identity OIDC Role for Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type OidcRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.key) || has(self.initProvider.key)",message="key is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec OidcRoleSpec `json:"spec"` Status OidcRoleStatus `json:"status,omitempty"` } diff --git a/apis/identity/v1alpha1/zz_oidcscope_terraformed.go b/apis/identity/v1alpha1/zz_oidcscope_terraformed.go new file mode 100755 index 00000000..8a4b9c3e --- /dev/null +++ b/apis/identity/v1alpha1/zz_oidcscope_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this OidcScope +func (mg *OidcScope) GetTerraformResourceType() string { + return "vault_identity_oidc_scope" +} + +// GetConnectionDetailsMapping for this OidcScope +func (tr *OidcScope) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this OidcScope +func (tr *OidcScope) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this OidcScope +func (tr *OidcScope) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this OidcScope +func (tr *OidcScope) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this OidcScope +func (tr *OidcScope) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this OidcScope +func (tr *OidcScope) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this OidcScope +func (tr *OidcScope) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this OidcScope +func (tr *OidcScope) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this OidcScope using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *OidcScope) LateInitialize(attrs []byte) (bool, error) { + params := &OidcScopeParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *OidcScope) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/identity/v1alpha1/zz_oidcscope_types.go b/apis/identity/v1alpha1/zz_oidcscope_types.go index 5fb91c5c..0cd3587e 100755 --- a/apis/identity/v1alpha1/zz_oidcscope_types.go +++ b/apis/identity/v1alpha1/zz_oidcscope_types.go @@ -89,9 +89,8 @@ type OidcScopeParameters struct { type OidcScopeSpec struct { v1.ResourceSpec `json:",inline"` ForProvider OidcScopeParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -110,18 +109,19 @@ type OidcScopeStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // OidcScope is the Schema for the OidcScopes API. Provision OIDC Scopes in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type OidcScope struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec OidcScopeSpec `json:"spec"` Status OidcScopeStatus `json:"status,omitempty"` } diff --git a/apis/jwt/v1alpha1/zz_authbackend_terraformed.go b/apis/jwt/v1alpha1/zz_authbackend_terraformed.go new file mode 100755 index 00000000..3a103c88 --- /dev/null +++ b/apis/jwt/v1alpha1/zz_authbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackend +func (mg *AuthBackend) GetTerraformResourceType() string { + return "vault_jwt_auth_backend" +} + +// GetConnectionDetailsMapping for this AuthBackend +func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"oidc_client_secret": "oidcClientSecretSecretRef"} +} + +// GetObservation of this AuthBackend +func (tr *AuthBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackend +func (tr *AuthBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackend +func (tr *AuthBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackend +func (tr *AuthBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackend +func (tr *AuthBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackend +func (tr *AuthBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackend +func (tr *AuthBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/jwt/v1alpha1/zz_authbackend_types.go b/apis/jwt/v1alpha1/zz_authbackend_types.go index 9cc9cf99..75e5241c 100755 --- a/apis/jwt/v1alpha1/zz_authbackend_types.go +++ b/apis/jwt/v1alpha1/zz_authbackend_types.go @@ -67,6 +67,10 @@ type AuthBackendInitParameters struct { // Client ID used for OIDC OidcClientID *string `json:"oidcClientId,omitempty" tf:"oidc_client_id,omitempty"` + // Client Secret used for OIDC backends + // Client Secret used for OIDC + OidcClientSecretSecretRef *v1.SecretKeySelector `json:"oidcClientSecretSecretRef,omitempty" tf:"-"` + // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used OidcDiscoveryCAPem *string `json:"oidcDiscoveryCaPem,omitempty" tf:"oidc_discovery_ca_pem,omitempty"` @@ -89,6 +93,7 @@ type AuthBackendInitParameters struct { // Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. // Provider specific handling configuration + // +mapType=granular ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"` Tune []TuneInitParameters `json:"tune,omitempty" tf:"tune,omitempty"` @@ -180,6 +185,7 @@ type AuthBackendObservation struct { // Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. // Provider specific handling configuration + // +mapType=granular ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"` Tune []TuneObservation `json:"tune,omitempty" tf:"tune,omitempty"` @@ -288,6 +294,7 @@ type AuthBackendParameters struct { // Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. // Provider specific handling configuration // +kubebuilder:validation:Optional + // +mapType=granular ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"` // +kubebuilder:validation:Optional @@ -422,9 +429,8 @@ type TuneParameters struct { type AuthBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -443,13 +449,14 @@ type AuthBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackend is the Schema for the AuthBackends API. Managing JWT/OIDC auth backends in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackend struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/jwt/v1alpha1/zz_generated_terraformed.go b/apis/jwt/v1alpha1/zz_authbackendrole_terraformed.go similarity index 51% rename from apis/jwt/v1alpha1/zz_generated_terraformed.go rename to apis/jwt/v1alpha1/zz_authbackendrole_terraformed.go index cceba0d5..ad61d4b6 100755 --- a/apis/jwt/v1alpha1/zz_generated_terraformed.go +++ b/apis/jwt/v1alpha1/zz_authbackendrole_terraformed.go @@ -7,96 +7,13 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) -// GetTerraformResourceType returns Terraform resource type for this AuthBackend -func (mg *AuthBackend) GetTerraformResourceType() string { - return "vault_jwt_auth_backend" -} - -// GetConnectionDetailsMapping for this AuthBackend -func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"oidc_client_secret": "spec.forProvider.oidcClientSecretSecretRef"} -} - -// GetObservation of this AuthBackend -func (tr *AuthBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackend -func (tr *AuthBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackend -func (tr *AuthBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackend -func (tr *AuthBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackend -func (tr *AuthBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackend -func (tr *AuthBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackend) GetTerraformSchemaVersion() int { - return 1 -} - // GetTerraformResourceType returns Terraform resource type for this AuthBackendRole func (mg *AuthBackendRole) GetTerraformResourceType() string { return "vault_jwt_auth_backend_role" @@ -163,6 +80,36 @@ func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this AuthBackendRole using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/jwt/v1alpha1/zz_authbackendrole_types.go b/apis/jwt/v1alpha1/zz_authbackendrole_types.go index 3c0a682b..cd8e6a72 100755 --- a/apis/jwt/v1alpha1/zz_authbackendrole_types.go +++ b/apis/jwt/v1alpha1/zz_authbackendrole_types.go @@ -18,23 +18,34 @@ type AuthBackendRoleInitParameters struct { // The list of allowed values for redirect_uri during OIDC logins. // Required for OIDC roles // The list of allowed values for redirect_uri during OIDC logins. + // +listType=set AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"` // The unique name of the auth backend to configure. // Defaults to jwt. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/jwt/v1alpha1.AuthBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` - // (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims - // or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. - // Any match is sufficient. + // Reference to a AuthBackend in jwt to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a AuthBackend in jwt to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // List of aud claims to match against. Any match is sufficient. + // List of aud claims to match against. Any match is sufficient. + // +listType=set BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` // If set, a map of claims to values to match against. // A claim's value must be a string, which may contain one value or multiple // comma-separated values, e.g. "red" or "red,green,blue". // Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + // +mapType=granular BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"` // How to interpret values in the claims/values @@ -51,6 +62,7 @@ type AuthBackendRoleInitParameters struct { // If set, a map of claims (keys) to be copied // to specified metadata fields (values). // Map of claims (keys) to be copied to specified metadata fields (values). + // +mapType=granular ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"` // The amount of leeway to add to all claims to account for clock skew, in @@ -63,9 +75,9 @@ type AuthBackendRoleInitParameters struct { DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` // The amount of leeway to add to expiration (exp) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. - // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` // The claim to use to uniquely identify @@ -88,7 +100,7 @@ type AuthBackendRoleInitParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of leeway to add to not before (nbf) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"` @@ -96,6 +108,7 @@ type AuthBackendRoleInitParameters struct { // If set, a list of OIDC scopes to be used with an OIDC role. // The standard scope "openid" is automatically included and need not be specified. // List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + // +listType=set OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"` // The name of the role. @@ -110,6 +123,7 @@ type AuthBackendRoleInitParameters struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -144,6 +158,7 @@ type AuthBackendRoleInitParameters struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -184,6 +199,7 @@ type AuthBackendRoleObservation struct { // The list of allowed values for redirect_uri during OIDC logins. // Required for OIDC roles // The list of allowed values for redirect_uri during OIDC logins. + // +listType=set AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"` // The unique name of the auth backend to configure. @@ -191,16 +207,16 @@ type AuthBackendRoleObservation struct { // Unique name of the auth backend to configure. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` - // (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims - // or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. - // Any match is sufficient. // List of aud claims to match against. Any match is sufficient. + // List of aud claims to match against. Any match is sufficient. + // +listType=set BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` // If set, a map of claims to values to match against. // A claim's value must be a string, which may contain one value or multiple // comma-separated values, e.g. "red" or "red,green,blue". // Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + // +mapType=granular BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"` // How to interpret values in the claims/values @@ -217,6 +233,7 @@ type AuthBackendRoleObservation struct { // If set, a map of claims (keys) to be copied // to specified metadata fields (values). // Map of claims (keys) to be copied to specified metadata fields (values). + // +mapType=granular ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"` // The amount of leeway to add to all claims to account for clock skew, in @@ -229,9 +246,9 @@ type AuthBackendRoleObservation struct { DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` // The amount of leeway to add to expiration (exp) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. - // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` // The claim to use to uniquely identify @@ -256,7 +273,7 @@ type AuthBackendRoleObservation struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of leeway to add to not before (nbf) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"` @@ -264,6 +281,7 @@ type AuthBackendRoleObservation struct { // If set, a list of OIDC scopes to be used with an OIDC role. // The standard scope "openid" is automatically included and need not be specified. // List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + // +listType=set OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"` // The name of the role. @@ -278,6 +296,7 @@ type AuthBackendRoleObservation struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -312,6 +331,7 @@ type AuthBackendRoleObservation struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -353,19 +373,29 @@ type AuthBackendRoleParameters struct { // Required for OIDC roles // The list of allowed values for redirect_uri during OIDC logins. // +kubebuilder:validation:Optional + // +listType=set AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"` // The unique name of the auth backend to configure. // Defaults to jwt. // Unique name of the auth backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/jwt/v1alpha1.AuthBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` - // (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims - // or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. - // Any match is sufficient. + // Reference to a AuthBackend in jwt to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a AuthBackend in jwt to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + + // List of aud claims to match against. Any match is sufficient. // List of aud claims to match against. Any match is sufficient. // +kubebuilder:validation:Optional + // +listType=set BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` // If set, a map of claims to values to match against. @@ -373,6 +403,7 @@ type AuthBackendRoleParameters struct { // comma-separated values, e.g. "red" or "red,green,blue". // Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. // +kubebuilder:validation:Optional + // +mapType=granular BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"` // How to interpret values in the claims/values @@ -392,6 +423,7 @@ type AuthBackendRoleParameters struct { // to specified metadata fields (values). // Map of claims (keys) to be copied to specified metadata fields (values). // +kubebuilder:validation:Optional + // +mapType=granular ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"` // The amount of leeway to add to all claims to account for clock skew, in @@ -406,9 +438,9 @@ type AuthBackendRoleParameters struct { DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` // The amount of leeway to add to expiration (exp) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. - // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. // +kubebuilder:validation:Optional ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` @@ -435,7 +467,7 @@ type AuthBackendRoleParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of leeway to add to not before (nbf) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. // +kubebuilder:validation:Optional @@ -445,6 +477,7 @@ type AuthBackendRoleParameters struct { // The standard scope "openid" is automatically included and need not be specified. // List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. // +kubebuilder:validation:Optional + // +listType=set OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"` // The name of the role. @@ -462,6 +495,7 @@ type AuthBackendRoleParameters struct { // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -502,6 +536,7 @@ type AuthBackendRoleParameters struct { // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -546,9 +581,8 @@ type AuthBackendRoleParameters struct { type AuthBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -567,19 +601,20 @@ type AuthBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRole is the Schema for the AuthBackendRoles API. Manages JWT/OIDC auth backend roles in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.userClaim) || has(self.initProvider.userClaim)",message="userClaim is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || (has(self.initProvider) && has(self.initProvider.roleName))",message="spec.forProvider.roleName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.userClaim) || (has(self.initProvider) && has(self.initProvider.userClaim))",message="spec.forProvider.userClaim is a required parameter" Spec AuthBackendRoleSpec `json:"spec"` Status AuthBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/jwt/v1alpha1/zz_generated.conversion_hubs.go b/apis/jwt/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..720e893f --- /dev/null +++ b/apis/jwt/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,13 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} diff --git a/apis/jwt/v1alpha1/zz_generated.deepcopy.go b/apis/jwt/v1alpha1/zz_generated.deepcopy.go index a46c37db..39a538c4 100644 --- a/apis/jwt/v1alpha1/zz_generated.deepcopy.go +++ b/apis/jwt/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -116,6 +115,11 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(string) **out = **in } + if in.OidcClientSecretSecretRef != nil { + in, out := &in.OidcClientSecretSecretRef, &out.OidcClientSecretSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.OidcDiscoveryCAPem != nil { in, out := &in.OidcDiscoveryCAPem, &out.OidcDiscoveryCAPem *out = new(string) @@ -155,7 +159,8 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -342,7 +347,8 @@ func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -492,7 +498,8 @@ func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -569,6 +576,16 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BoundAudiences != nil { in, out := &in.BoundAudiences, &out.BoundAudiences *out = make([]*string, len(*in)) @@ -588,7 +605,8 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -613,7 +631,8 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -830,7 +849,8 @@ func (in *AuthBackendRoleObservation) DeepCopyInto(out *AuthBackendRoleObservati if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -855,7 +875,8 @@ func (in *AuthBackendRoleObservation) DeepCopyInto(out *AuthBackendRoleObservati if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1026,6 +1047,16 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BoundAudiences != nil { in, out := &in.BoundAudiences, &out.BoundAudiences *out = make([]*string, len(*in)) @@ -1045,7 +1076,8 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1070,7 +1102,8 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } diff --git a/apis/jwt/v1alpha1/zz_generated.managed.go b/apis/jwt/v1alpha1/zz_generated.managed.go index 3f2960fc..99c794ab 100644 --- a/apis/jwt/v1alpha1/zz_generated.managed.go +++ b/apis/jwt/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackend. func (mg *AuthBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackend. func (mg *AuthBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/jwt/v1alpha1/zz_generated.resolvers.go b/apis/jwt/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..bb24a64c --- /dev/null +++ b/apis/jwt/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,56 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this AuthBackendRole. +func (mg *AuthBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &AuthBackendList{}, + Managed: &AuthBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &AuthBackendList{}, + Managed: &AuthBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/kmip/v1alpha1/zz_generated.conversion_hubs.go b/apis/kmip/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..23a47463 --- /dev/null +++ b/apis/kmip/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,16 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *SecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretScope) Hub() {} diff --git a/apis/kmip/v1alpha1/zz_generated.deepcopy.go b/apis/kmip/v1alpha1/zz_generated.deepcopy.go index b767e773..d7eabdfb 100644 --- a/apis/kmip/v1alpha1/zz_generated.deepcopy.go +++ b/apis/kmip/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -516,6 +516,16 @@ func (in *SecretRoleInitParameters) DeepCopyInto(out *SecretRoleInitParameters) *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Role != nil { in, out := &in.Role, &out.Role *out = new(string) @@ -526,6 +536,16 @@ func (in *SecretRoleInitParameters) DeepCopyInto(out *SecretRoleInitParameters) *out = new(string) **out = **in } + if in.ScopeRef != nil { + in, out := &in.ScopeRef, &out.ScopeRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.ScopeSelector != nil { + in, out := &in.ScopeSelector, &out.ScopeSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.TLSClientKeyBits != nil { in, out := &in.TLSClientKeyBits, &out.TLSClientKeyBits *out = new(float64) @@ -793,6 +813,16 @@ func (in *SecretRoleParameters) DeepCopyInto(out *SecretRoleParameters) { *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Role != nil { in, out := &in.Role, &out.Role *out = new(string) @@ -803,6 +833,16 @@ func (in *SecretRoleParameters) DeepCopyInto(out *SecretRoleParameters) { *out = new(string) **out = **in } + if in.ScopeRef != nil { + in, out := &in.ScopeRef, &out.ScopeRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.ScopeSelector != nil { + in, out := &in.ScopeSelector, &out.ScopeSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.TLSClientKeyBits != nil { in, out := &in.TLSClientKeyBits, &out.TLSClientKeyBits *out = new(float64) @@ -910,6 +950,16 @@ func (in *SecretScopeInitParameters) DeepCopyInto(out *SecretScopeInitParameters *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Scope != nil { in, out := &in.Scope, &out.Scope *out = new(string) @@ -1017,6 +1067,16 @@ func (in *SecretScopeParameters) DeepCopyInto(out *SecretScopeParameters) { *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Scope != nil { in, out := &in.Scope, &out.Scope *out = new(string) diff --git a/apis/kmip/v1alpha1/zz_generated.managed.go b/apis/kmip/v1alpha1/zz_generated.managed.go index fcadd298..3b19c34d 100644 --- a/apis/kmip/v1alpha1/zz_generated.managed.go +++ b/apis/kmip/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *SecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *SecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SecretRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretRole. func (mg *SecretRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SecretRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretRole. func (mg *SecretRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *SecretScope) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretScope. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretScope) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretScope. func (mg *SecretScope) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *SecretScope) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretScope. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretScope) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretScope. func (mg *SecretScope) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/kmip/v1alpha1/zz_generated.resolvers.go b/apis/kmip/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..1d0a9895 --- /dev/null +++ b/apis/kmip/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,130 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretRole. +func (mg *SecretRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.PathRef, + Selector: mg.Spec.ForProvider.PathSelector, + To: reference.To{ + List: &SecretScopeList{}, + Managed: &SecretScope{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Path") + } + mg.Spec.ForProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.PathRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Scope), + Extract: resource.ExtractParamPath("scope", false), + Reference: mg.Spec.ForProvider.ScopeRef, + Selector: mg.Spec.ForProvider.ScopeSelector, + To: reference.To{ + List: &SecretScopeList{}, + Managed: &SecretScope{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Scope") + } + mg.Spec.ForProvider.Scope = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.ScopeRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.PathRef, + Selector: mg.Spec.InitProvider.PathSelector, + To: reference.To{ + List: &SecretScopeList{}, + Managed: &SecretScope{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Path") + } + mg.Spec.InitProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.PathRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Scope), + Extract: resource.ExtractParamPath("scope", false), + Reference: mg.Spec.InitProvider.ScopeRef, + Selector: mg.Spec.InitProvider.ScopeSelector, + To: reference.To{ + List: &SecretScopeList{}, + Managed: &SecretScope{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Scope") + } + mg.Spec.InitProvider.Scope = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.ScopeRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretScope. +func (mg *SecretScope) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.PathRef, + Selector: mg.Spec.ForProvider.PathSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Path") + } + mg.Spec.ForProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.PathRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.PathRef, + Selector: mg.Spec.InitProvider.PathSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Path") + } + mg.Spec.InitProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.PathRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/kmip/v1alpha1/zz_generated_terraformed.go b/apis/kmip/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index b8983457..00000000 --- a/apis/kmip/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,266 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this SecretBackend -func (mg *SecretBackend) GetTerraformResourceType() string { - return "vault_kmip_secret_backend" -} - -// GetConnectionDetailsMapping for this SecretBackend -func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackend -func (tr *SecretBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackend -func (tr *SecretBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackend -func (tr *SecretBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackend -func (tr *SecretBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackend -func (tr *SecretBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackend -func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretRole -func (mg *SecretRole) GetTerraformResourceType() string { - return "vault_kmip_secret_role" -} - -// GetConnectionDetailsMapping for this SecretRole -func (tr *SecretRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretRole -func (tr *SecretRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretRole -func (tr *SecretRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretRole -func (tr *SecretRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretRole -func (tr *SecretRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretRole -func (tr *SecretRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretRole -func (tr *SecretRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { - params := &SecretRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretRole) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretScope -func (mg *SecretScope) GetTerraformResourceType() string { - return "vault_kmip_secret_scope" -} - -// GetConnectionDetailsMapping for this SecretScope -func (tr *SecretScope) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretScope -func (tr *SecretScope) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretScope -func (tr *SecretScope) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretScope -func (tr *SecretScope) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretScope -func (tr *SecretScope) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretScope -func (tr *SecretScope) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretScope -func (tr *SecretScope) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretScope using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretScope) LateInitialize(attrs []byte) (bool, error) { - params := &SecretScopeParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretScope) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/kmip/v1alpha1/zz_secretbackend_terraformed.go b/apis/kmip/v1alpha1/zz_secretbackend_terraformed.go new file mode 100755 index 00000000..e30448fd --- /dev/null +++ b/apis/kmip/v1alpha1/zz_secretbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackend +func (mg *SecretBackend) GetTerraformResourceType() string { + return "vault_kmip_secret_backend" +} + +// GetConnectionDetailsMapping for this SecretBackend +func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackend +func (tr *SecretBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackend +func (tr *SecretBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackend +func (tr *SecretBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackend +func (tr *SecretBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackend +func (tr *SecretBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/kmip/v1alpha1/zz_secretbackend_types.go b/apis/kmip/v1alpha1/zz_secretbackend_types.go index c2a6dd98..57246daa 100755 --- a/apis/kmip/v1alpha1/zz_secretbackend_types.go +++ b/apis/kmip/v1alpha1/zz_secretbackend_types.go @@ -37,6 +37,7 @@ type SecretBackendInitParameters struct { // Addresses the KMIP server should listen on (host:port). // Addresses the KMIP server should listen on (host:port) + // +listType=set ListenAddrs []*string `json:"listenAddrs,omitempty" tf:"listen_addrs,omitempty"` // The namespace to provision the resource in. @@ -53,10 +54,12 @@ type SecretBackendInitParameters struct { // Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN). // Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN) + // +listType=set ServerHostnames []*string `json:"serverHostnames,omitempty" tf:"server_hostnames,omitempty"` // IPs to include in the server's TLS certificate as SAN IP addresses. // IPs to include in the server's TLS certificate as SAN IP addresses + // +listType=set ServerIps []*string `json:"serverIps,omitempty" tf:"server_ips,omitempty"` // CA key bits, valid values depend on key type. @@ -98,6 +101,7 @@ type SecretBackendObservation struct { // Addresses the KMIP server should listen on (host:port). // Addresses the KMIP server should listen on (host:port) + // +listType=set ListenAddrs []*string `json:"listenAddrs,omitempty" tf:"listen_addrs,omitempty"` // The namespace to provision the resource in. @@ -114,10 +118,12 @@ type SecretBackendObservation struct { // Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN). // Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN) + // +listType=set ServerHostnames []*string `json:"serverHostnames,omitempty" tf:"server_hostnames,omitempty"` // IPs to include in the server's TLS certificate as SAN IP addresses. // IPs to include in the server's TLS certificate as SAN IP addresses + // +listType=set ServerIps []*string `json:"serverIps,omitempty" tf:"server_ips,omitempty"` // CA key bits, valid values depend on key type. @@ -163,6 +169,7 @@ type SecretBackendParameters struct { // Addresses the KMIP server should listen on (host:port). // Addresses the KMIP server should listen on (host:port) // +kubebuilder:validation:Optional + // +listType=set ListenAddrs []*string `json:"listenAddrs,omitempty" tf:"listen_addrs,omitempty"` // The namespace to provision the resource in. @@ -182,11 +189,13 @@ type SecretBackendParameters struct { // Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN). // Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN) // +kubebuilder:validation:Optional + // +listType=set ServerHostnames []*string `json:"serverHostnames,omitempty" tf:"server_hostnames,omitempty"` // IPs to include in the server's TLS certificate as SAN IP addresses. // IPs to include in the server's TLS certificate as SAN IP addresses // +kubebuilder:validation:Optional + // +listType=set ServerIps []*string `json:"serverIps,omitempty" tf:"server_ips,omitempty"` // CA key bits, valid values depend on key type. @@ -209,9 +218,8 @@ type SecretBackendParameters struct { type SecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -230,18 +238,19 @@ type SecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackend is the Schema for the SecretBackends API. Provision KMIP Secret backends in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || (has(self.initProvider) && has(self.initProvider.path))",message="spec.forProvider.path is a required parameter" Spec SecretBackendSpec `json:"spec"` Status SecretBackendStatus `json:"status,omitempty"` } diff --git a/apis/kmip/v1alpha1/zz_secretrole_terraformed.go b/apis/kmip/v1alpha1/zz_secretrole_terraformed.go new file mode 100755 index 00000000..87b88648 --- /dev/null +++ b/apis/kmip/v1alpha1/zz_secretrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretRole +func (mg *SecretRole) GetTerraformResourceType() string { + return "vault_kmip_secret_role" +} + +// GetConnectionDetailsMapping for this SecretRole +func (tr *SecretRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretRole +func (tr *SecretRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretRole +func (tr *SecretRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretRole +func (tr *SecretRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretRole +func (tr *SecretRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretRole +func (tr *SecretRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretRole +func (tr *SecretRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretRole +func (tr *SecretRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { + params := &SecretRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/kmip/v1alpha1/zz_secretrole_types.go b/apis/kmip/v1alpha1/zz_secretrole_types.go index c236a537..f205a94a 100755 --- a/apis/kmip/v1alpha1/zz_secretrole_types.go +++ b/apis/kmip/v1alpha1/zz_secretrole_types.go @@ -81,16 +81,36 @@ type SecretRoleInitParameters struct { // The unique path this backend should be mounted at. Must // not begin or end with a /. Defaults to kmip. // Path where KMIP backend is mounted + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/kmip/v1alpha1.SecretScope + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Reference to a SecretScope in kmip to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a SecretScope in kmip to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` + // Name of the role. // Name of the role Role *string `json:"role,omitempty" tf:"role,omitempty"` // Name of the scope. // Name of the scope + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/kmip/v1alpha1.SecretScope + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("scope",false) Scope *string `json:"scope,omitempty" tf:"scope,omitempty"` + // Reference to a SecretScope in kmip to populate scope. + // +kubebuilder:validation:Optional + ScopeRef *v1.Reference `json:"scopeRef,omitempty" tf:"-"` + + // Selector for a SecretScope in kmip to populate scope. + // +kubebuilder:validation:Optional + ScopeSelector *v1.Selector `json:"scopeSelector,omitempty" tf:"-"` + // Client certificate key bits, valid values depend on key type. // Client certificate key bits, valid values depend on key type TLSClientKeyBits *float64 `json:"tlsClientKeyBits,omitempty" tf:"tls_client_key_bits,omitempty"` @@ -279,9 +299,19 @@ type SecretRoleParameters struct { // The unique path this backend should be mounted at. Must // not begin or end with a /. Defaults to kmip. // Path where KMIP backend is mounted + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/kmip/v1alpha1.SecretScope + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Reference to a SecretScope in kmip to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a SecretScope in kmip to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` + // Name of the role. // Name of the role // +kubebuilder:validation:Optional @@ -289,9 +319,19 @@ type SecretRoleParameters struct { // Name of the scope. // Name of the scope + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/kmip/v1alpha1.SecretScope + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("scope",false) // +kubebuilder:validation:Optional Scope *string `json:"scope,omitempty" tf:"scope,omitempty"` + // Reference to a SecretScope in kmip to populate scope. + // +kubebuilder:validation:Optional + ScopeRef *v1.Reference `json:"scopeRef,omitempty" tf:"-"` + + // Selector for a SecretScope in kmip to populate scope. + // +kubebuilder:validation:Optional + ScopeSelector *v1.Selector `json:"scopeSelector,omitempty" tf:"-"` + // Client certificate key bits, valid values depend on key type. // Client certificate key bits, valid values depend on key type // +kubebuilder:validation:Optional @@ -312,9 +352,8 @@ type SecretRoleParameters struct { type SecretRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -333,20 +372,19 @@ type SecretRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretRole is the Schema for the SecretRoles API. Provision KMIP Secret roles in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.scope) || has(self.initProvider.scope)",message="scope is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || (has(self.initProvider) && has(self.initProvider.role))",message="spec.forProvider.role is a required parameter" Spec SecretRoleSpec `json:"spec"` Status SecretRoleStatus `json:"status,omitempty"` } diff --git a/apis/kmip/v1alpha1/zz_secretscope_terraformed.go b/apis/kmip/v1alpha1/zz_secretscope_terraformed.go new file mode 100755 index 00000000..cc8748eb --- /dev/null +++ b/apis/kmip/v1alpha1/zz_secretscope_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretScope +func (mg *SecretScope) GetTerraformResourceType() string { + return "vault_kmip_secret_scope" +} + +// GetConnectionDetailsMapping for this SecretScope +func (tr *SecretScope) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretScope +func (tr *SecretScope) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretScope +func (tr *SecretScope) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretScope +func (tr *SecretScope) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretScope +func (tr *SecretScope) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretScope +func (tr *SecretScope) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretScope +func (tr *SecretScope) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretScope +func (tr *SecretScope) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretScope using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretScope) LateInitialize(attrs []byte) (bool, error) { + params := &SecretScopeParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretScope) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/kmip/v1alpha1/zz_secretscope_types.go b/apis/kmip/v1alpha1/zz_secretscope_types.go index ea19537f..85e7f102 100755 --- a/apis/kmip/v1alpha1/zz_secretscope_types.go +++ b/apis/kmip/v1alpha1/zz_secretscope_types.go @@ -29,8 +29,18 @@ type SecretScopeInitParameters struct { // The unique path this backend should be mounted at. Must // not begin or end with a /. Defaults to kmip. // Path where KMIP backend is mounted + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/kmip/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Reference to a SecretBackend in kmip to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in kmip to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` + // Name of the scope. // Name of the scope Scope *string `json:"scope,omitempty" tf:"scope,omitempty"` @@ -79,9 +89,19 @@ type SecretScopeParameters struct { // The unique path this backend should be mounted at. Must // not begin or end with a /. Defaults to kmip. // Path where KMIP backend is mounted + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/kmip/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Reference to a SecretBackend in kmip to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in kmip to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` + // Name of the scope. // Name of the scope // +kubebuilder:validation:Optional @@ -92,9 +112,8 @@ type SecretScopeParameters struct { type SecretScopeSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretScopeParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -113,19 +132,19 @@ type SecretScopeStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretScope is the Schema for the SecretScopes API. Provision KMIP Secret scopes in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretScope struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.scope) || has(self.initProvider.scope)",message="scope is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.scope) || (has(self.initProvider) && has(self.initProvider.scope))",message="spec.forProvider.scope is a required parameter" Spec SecretScopeSpec `json:"spec"` Status SecretScopeStatus `json:"status,omitempty"` } diff --git a/apis/kubernetes/v1alpha1/zz_authbackendconfig_terraformed.go b/apis/kubernetes/v1alpha1/zz_authbackendconfig_terraformed.go new file mode 100755 index 00000000..cab90066 --- /dev/null +++ b/apis/kubernetes/v1alpha1/zz_authbackendconfig_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendConfig +func (mg *AuthBackendConfig) GetTerraformResourceType() string { + return "vault_kubernetes_auth_backend_config" +} + +// GetConnectionDetailsMapping for this AuthBackendConfig +func (tr *AuthBackendConfig) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"token_reviewer_jwt": "tokenReviewerJwtSecretRef"} +} + +// GetObservation of this AuthBackendConfig +func (tr *AuthBackendConfig) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendConfig +func (tr *AuthBackendConfig) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendConfig +func (tr *AuthBackendConfig) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendConfig +func (tr *AuthBackendConfig) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendConfig +func (tr *AuthBackendConfig) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendConfig +func (tr *AuthBackendConfig) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendConfig +func (tr *AuthBackendConfig) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendConfig using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendConfig) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendConfigParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendConfig) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go b/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go index b582c09f..02a06622 100755 --- a/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go +++ b/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go @@ -16,8 +16,18 @@ import ( type AuthBackendConfigInitParameters struct { // Unique name of the kubernetes backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ // Optional disable JWT issuer validation. Allows to skip ISS validation. DisableIssValidation *bool `json:"disableIssValidation,omitempty" tf:"disable_iss_validation,omitempty"` @@ -48,6 +58,10 @@ type AuthBackendConfigInitParameters struct { // List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. // Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. PemKeys []*string `json:"pemKeys,omitempty" tf:"pem_keys,omitempty"` + + // A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + // A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + TokenReviewerJwtSecretRef *v1.SecretKeySelector `json:"tokenReviewerJwtSecretRef,omitempty" tf:"-"` } type AuthBackendConfigObservation struct { @@ -92,9 +106,19 @@ type AuthBackendConfigObservation struct { type AuthBackendConfigParameters struct { // Unique name of the kubernetes backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ // Optional disable JWT issuer validation. Allows to skip ISS validation. // +kubebuilder:validation:Optional @@ -143,9 +167,8 @@ type AuthBackendConfigParameters struct { type AuthBackendConfigSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendConfigParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -164,18 +187,19 @@ type AuthBackendConfigStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendConfig is the Schema for the AuthBackendConfigs API. Manages Kubernetes auth backend configs in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendConfig struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.kubernetesHost) || has(self.initProvider.kubernetesHost)",message="kubernetesHost is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.kubernetesHost) || (has(self.initProvider) && has(self.initProvider.kubernetesHost))",message="spec.forProvider.kubernetesHost is a required parameter" Spec AuthBackendConfigSpec `json:"spec"` Status AuthBackendConfigStatus `json:"status,omitempty"` } diff --git a/apis/kubernetes/v1alpha1/zz_authbackendrole_terraformed.go b/apis/kubernetes/v1alpha1/zz_authbackendrole_terraformed.go new file mode 100755 index 00000000..d5b888a7 --- /dev/null +++ b/apis/kubernetes/v1alpha1/zz_authbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole +func (mg *AuthBackendRole) GetTerraformResourceType() string { + return "vault_kubernetes_auth_backend_role" +} + +// GetConnectionDetailsMapping for this AuthBackendRole +func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendRole +func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendRole +func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendRole +func (tr *AuthBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendRole +func (tr *AuthBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/kubernetes/v1alpha1/zz_authbackendrole_types.go b/apis/kubernetes/v1alpha1/zz_authbackendrole_types.go index 641ee907..b3b01022 100755 --- a/apis/kubernetes/v1alpha1/zz_authbackendrole_types.go +++ b/apis/kubernetes/v1alpha1/zz_authbackendrole_types.go @@ -26,14 +26,26 @@ type AuthBackendRoleInitParameters struct { // Unique name of the kubernetes backend to configure. // Unique name of the kubernetes backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*". // List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*". + // +listType=set BoundServiceAccountNames []*string `json:"boundServiceAccountNames,omitempty" tf:"bound_service_account_names,omitempty"` // List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*". // List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*". + // +listType=set BoundServiceAccountNamespaces []*string `json:"boundServiceAccountNamespaces,omitempty" tf:"bound_service_account_namespaces,omitempty"` // The namespace to provision the resource in. @@ -51,6 +63,7 @@ type AuthBackendRoleInitParameters struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -85,6 +98,7 @@ type AuthBackendRoleInitParameters struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The initial ttl of the token to generate in seconds @@ -116,10 +130,12 @@ type AuthBackendRoleObservation struct { // List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*". // List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*". + // +listType=set BoundServiceAccountNames []*string `json:"boundServiceAccountNames,omitempty" tf:"bound_service_account_names,omitempty"` // List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*". // List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*". + // +listType=set BoundServiceAccountNamespaces []*string `json:"boundServiceAccountNamespaces,omitempty" tf:"bound_service_account_namespaces,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -139,6 +155,7 @@ type AuthBackendRoleObservation struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -173,6 +190,7 @@ type AuthBackendRoleObservation struct { // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The initial ttl of the token to generate in seconds @@ -202,17 +220,29 @@ type AuthBackendRoleParameters struct { // Unique name of the kubernetes backend to configure. // Unique name of the kubernetes backend to configure. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*". // List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*". // +kubebuilder:validation:Optional + // +listType=set BoundServiceAccountNames []*string `json:"boundServiceAccountNames,omitempty" tf:"bound_service_account_names,omitempty"` // List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*". // List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*". // +kubebuilder:validation:Optional + // +listType=set BoundServiceAccountNamespaces []*string `json:"boundServiceAccountNamespaces,omitempty" tf:"bound_service_account_namespaces,omitempty"` // The namespace to provision the resource in. @@ -233,6 +263,7 @@ type AuthBackendRoleParameters struct { // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -273,6 +304,7 @@ type AuthBackendRoleParameters struct { // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The initial ttl of the token to generate in seconds @@ -293,9 +325,8 @@ type AuthBackendRoleParameters struct { type AuthBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -314,20 +345,21 @@ type AuthBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRole is the Schema for the AuthBackendRoles API. Manages Kubernetes auth backend roles in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.boundServiceAccountNames) || has(self.initProvider.boundServiceAccountNames)",message="boundServiceAccountNames is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.boundServiceAccountNamespaces) || has(self.initProvider.boundServiceAccountNamespaces)",message="boundServiceAccountNamespaces is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.boundServiceAccountNames) || (has(self.initProvider) && has(self.initProvider.boundServiceAccountNames))",message="spec.forProvider.boundServiceAccountNames is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.boundServiceAccountNamespaces) || (has(self.initProvider) && has(self.initProvider.boundServiceAccountNamespaces))",message="spec.forProvider.boundServiceAccountNamespaces is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || (has(self.initProvider) && has(self.initProvider.roleName))",message="spec.forProvider.roleName is a required parameter" Spec AuthBackendRoleSpec `json:"spec"` Status AuthBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/kubernetes/v1alpha1/zz_generated.conversion_hubs.go b/apis/kubernetes/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..6bb6a2e6 --- /dev/null +++ b/apis/kubernetes/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,19 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendConfig) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendRole) Hub() {} diff --git a/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go b/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go index d78ed8c4..f8b5b283 100644 --- a/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go +++ b/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -49,6 +48,16 @@ func (in *AuthBackendConfigInitParameters) DeepCopyInto(out *AuthBackendConfigIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DisableIssValidation != nil { in, out := &in.DisableIssValidation, &out.DisableIssValidation *out = new(bool) @@ -90,6 +99,11 @@ func (in *AuthBackendConfigInitParameters) DeepCopyInto(out *AuthBackendConfigIn } } } + if in.TokenReviewerJwtSecretRef != nil { + in, out := &in.TokenReviewerJwtSecretRef, &out.TokenReviewerJwtSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigInitParameters. @@ -208,6 +222,16 @@ func (in *AuthBackendConfigParameters) DeepCopyInto(out *AuthBackendConfigParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.DisableIssValidation != nil { in, out := &in.DisableIssValidation, &out.DisableIssValidation *out = new(bool) @@ -346,6 +370,16 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BoundServiceAccountNames != nil { in, out := &in.BoundServiceAccountNames, &out.BoundServiceAccountNames *out = make([]*string, len(*in)) @@ -621,6 +655,16 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BoundServiceAccountNames != nil { in, out := &in.BoundServiceAccountNames, &out.BoundServiceAccountNames *out = make([]*string, len(*in)) @@ -798,6 +842,17 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -825,6 +880,17 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -840,6 +906,11 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.KubernetesCACert != nil { in, out := &in.KubernetesCACert, &out.KubernetesCACert *out = new(string) @@ -850,6 +921,11 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -873,23 +949,45 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) **out = **in } + if in.ServiceAccountJwtSecretRef != nil { + in, out := &in.ServiceAccountJwtSecretRef, &out.ServiceAccountJwtSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters. @@ -953,6 +1051,17 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -980,6 +1089,17 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -1000,6 +1120,11 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.KubernetesCACert != nil { in, out := &in.KubernetesCACert, &out.KubernetesCACert *out = new(string) @@ -1010,6 +1135,11 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -1033,18 +1163,35 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) @@ -1076,6 +1223,17 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -1103,6 +1261,17 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -1118,6 +1287,11 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.KubernetesCACert != nil { in, out := &in.KubernetesCACert, &out.KubernetesCACert *out = new(string) @@ -1128,6 +1302,11 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(string) **out = **in } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -1151,18 +1330,35 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) @@ -1215,6 +1411,11 @@ func (in *SecretBackendRole) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleInitParameters) { *out = *in + if in.AllowedKubernetesNamespaceSelector != nil { + in, out := &in.AllowedKubernetesNamespaceSelector, &out.AllowedKubernetesNamespaceSelector + *out = new(string) + **out = **in + } if in.AllowedKubernetesNamespaces != nil { in, out := &in.AllowedKubernetesNamespaces, &out.AllowedKubernetesNamespaces *out = make([]*string, len(*in)) @@ -1231,6 +1432,16 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.ExtraAnnotations != nil { in, out := &in.ExtraAnnotations, &out.ExtraAnnotations *out = make(map[string]*string, len(*in)) @@ -1239,7 +1450,8 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1254,7 +1466,8 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1353,6 +1566,11 @@ func (in *SecretBackendRoleList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObservation) { *out = *in + if in.AllowedKubernetesNamespaceSelector != nil { + in, out := &in.AllowedKubernetesNamespaceSelector, &out.AllowedKubernetesNamespaceSelector + *out = new(string) + **out = **in + } if in.AllowedKubernetesNamespaces != nil { in, out := &in.AllowedKubernetesNamespaces, &out.AllowedKubernetesNamespaces *out = make([]*string, len(*in)) @@ -1377,7 +1595,8 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1392,7 +1611,8 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1464,6 +1684,11 @@ func (in *SecretBackendRoleObservation) DeepCopy() *SecretBackendRoleObservation // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParameters) { *out = *in + if in.AllowedKubernetesNamespaceSelector != nil { + in, out := &in.AllowedKubernetesNamespaceSelector, &out.AllowedKubernetesNamespaceSelector + *out = new(string) + **out = **in + } if in.AllowedKubernetesNamespaces != nil { in, out := &in.AllowedKubernetesNamespaces, &out.AllowedKubernetesNamespaces *out = make([]*string, len(*in)) @@ -1480,6 +1705,16 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.ExtraAnnotations != nil { in, out := &in.ExtraAnnotations, &out.ExtraAnnotations *out = make(map[string]*string, len(*in)) @@ -1488,7 +1723,8 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1503,7 +1739,8 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } diff --git a/apis/kubernetes/v1alpha1/zz_generated.managed.go b/apis/kubernetes/v1alpha1/zz_generated.managed.go index 84919699..b73e6e6f 100644 --- a/apis/kubernetes/v1alpha1/zz_generated.managed.go +++ b/apis/kubernetes/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackendConfig) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendConfig. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendConfig) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendConfig. func (mg *AuthBackendConfig) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackendConfig) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendConfig. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendConfig) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendConfig. func (mg *AuthBackendConfig) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *SecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *SecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -255,14 +207,6 @@ func (mg *SecretBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -293,14 +237,6 @@ func (mg *SecretBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/kubernetes/v1alpha1/zz_generated.resolvers.go b/apis/kubernetes/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..ead4d846 --- /dev/null +++ b/apis/kubernetes/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,141 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/auth/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this AuthBackendConfig. +func (mg *AuthBackendConfig) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this AuthBackendRole. +func (mg *AuthBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendRole. +func (mg *SecretBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/kubernetes/v1alpha1/zz_generated_terraformed.go b/apis/kubernetes/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index 4cba97ff..00000000 --- a/apis/kubernetes/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,350 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendConfig -func (mg *AuthBackendConfig) GetTerraformResourceType() string { - return "vault_kubernetes_auth_backend_config" -} - -// GetConnectionDetailsMapping for this AuthBackendConfig -func (tr *AuthBackendConfig) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"token_reviewer_jwt": "spec.forProvider.tokenReviewerJwtSecretRef"} -} - -// GetObservation of this AuthBackendConfig -func (tr *AuthBackendConfig) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendConfig -func (tr *AuthBackendConfig) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendConfig -func (tr *AuthBackendConfig) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendConfig -func (tr *AuthBackendConfig) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendConfig -func (tr *AuthBackendConfig) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendConfig -func (tr *AuthBackendConfig) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendConfig using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendConfig) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendConfigParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendConfig) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendRole -func (mg *AuthBackendRole) GetTerraformResourceType() string { - return "vault_kubernetes_auth_backend_role" -} - -// GetConnectionDetailsMapping for this AuthBackendRole -func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendRole -func (tr *AuthBackendRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendRole -func (tr *AuthBackendRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendRole -func (tr *AuthBackendRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendRole -func (tr *AuthBackendRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendRole -func (tr *AuthBackendRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendRole -func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendRole) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackend -func (mg *SecretBackend) GetTerraformResourceType() string { - return "vault_kubernetes_secret_backend" -} - -// GetConnectionDetailsMapping for this SecretBackend -func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"service_account_jwt": "spec.forProvider.serviceAccountJwtSecretRef"} -} - -// GetObservation of this SecretBackend -func (tr *SecretBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackend -func (tr *SecretBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackend -func (tr *SecretBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackend -func (tr *SecretBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackend -func (tr *SecretBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackend -func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendRole -func (mg *SecretBackendRole) GetTerraformResourceType() string { - return "vault_kubernetes_secret_backend_role" -} - -// GetConnectionDetailsMapping for this SecretBackendRole -func (tr *SecretBackendRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendRole -func (tr *SecretBackendRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendRole -func (tr *SecretBackendRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendRole -func (tr *SecretBackendRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendRole -func (tr *SecretBackendRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendRole -func (tr *SecretBackendRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendRole -func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendRole) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/kubernetes/v1alpha1/zz_secretbackend_terraformed.go b/apis/kubernetes/v1alpha1/zz_secretbackend_terraformed.go new file mode 100755 index 00000000..2a4f8ca6 --- /dev/null +++ b/apis/kubernetes/v1alpha1/zz_secretbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackend +func (mg *SecretBackend) GetTerraformResourceType() string { + return "vault_kubernetes_secret_backend" +} + +// GetConnectionDetailsMapping for this SecretBackend +func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"service_account_jwt": "serviceAccountJwtSecretRef"} +} + +// GetObservation of this SecretBackend +func (tr *SecretBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackend +func (tr *SecretBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackend +func (tr *SecretBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackend +func (tr *SecretBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackend +func (tr *SecretBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackend) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/kubernetes/v1alpha1/zz_secretbackend_types.go b/apis/kubernetes/v1alpha1/zz_secretbackend_types.go index 5f324a0a..d1ebf78a 100755 --- a/apis/kubernetes/v1alpha1/zz_secretbackend_types.go +++ b/apis/kubernetes/v1alpha1/zz_secretbackend_types.go @@ -16,8 +16,12 @@ import ( type SecretBackendInitParameters struct { // List of managed key registry entry names that the mount in question is allowed to access + // +listType=set AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -27,6 +31,9 @@ type SecretBackendInitParameters struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -38,6 +45,9 @@ type SecretBackendInitParameters struct { // Enable the secrets engine to access Vault's external entropy source ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"` + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A PEM-encoded CA certificate used by the // secrets engine to verify the Kubernetes API server certificate. Defaults to the local // pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where @@ -51,6 +61,9 @@ type SecretBackendInitParameters struct { // The Kubernetes API URL to connect to. KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -65,13 +78,26 @@ type SecretBackendInitParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // Specifies mount type specific options that are passed to the backend + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"` + + // The JSON web token of the service account used by the + // secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault + // is running in Kubernetes. + // The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found. + ServiceAccountJwtSecretRef *v1.SecretKeySelector `json:"serviceAccountJwtSecretRef,omitempty" tf:"-"` } type SecretBackendObservation struct { @@ -80,8 +106,12 @@ type SecretBackendObservation struct { Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"` // List of managed key registry entry names that the mount in question is allowed to access + // +listType=set AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -91,6 +121,9 @@ type SecretBackendObservation struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -104,6 +137,9 @@ type SecretBackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A PEM-encoded CA certificate used by the // secrets engine to verify the Kubernetes API server certificate. Defaults to the local // pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where @@ -117,6 +153,9 @@ type SecretBackendObservation struct { // The Kubernetes API URL to connect to. KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -131,11 +170,18 @@ type SecretBackendObservation struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // Specifies mount type specific options that are passed to the backend + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"` } @@ -144,8 +190,13 @@ type SecretBackendParameters struct { // List of managed key registry entry names that the mount in question is allowed to access // +kubebuilder:validation:Optional + // +listType=set AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // +kubebuilder:validation:Optional AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -158,6 +209,10 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // +kubebuilder:validation:Optional Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -172,6 +227,10 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"` + // The key to use for signing plugin workload identity tokens + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A PEM-encoded CA certificate used by the // secrets engine to verify the Kubernetes API server certificate. Defaults to the local // pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where @@ -187,6 +246,10 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + // +kubebuilder:validation:Optional + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Local mount flag that can be explicitly set to true to enforce local mount in HA environment // +kubebuilder:validation:Optional Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -205,12 +268,21 @@ type SecretBackendParameters struct { // Specifies mount type specific options that are passed to the backend // +kubebuilder:validation:Optional + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + // +kubebuilder:validation:Optional + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability // +kubebuilder:validation:Optional SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"` @@ -227,9 +299,8 @@ type SecretBackendParameters struct { type SecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -248,18 +319,19 @@ type SecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackend is the Schema for the SecretBackends API. Creates a Kubernetes Secrets Engine in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || (has(self.initProvider) && has(self.initProvider.path))",message="spec.forProvider.path is a required parameter" Spec SecretBackendSpec `json:"spec"` Status SecretBackendStatus `json:"status,omitempty"` } diff --git a/apis/kubernetes/v1alpha1/zz_secretbackendrole_terraformed.go b/apis/kubernetes/v1alpha1/zz_secretbackendrole_terraformed.go new file mode 100755 index 00000000..a42ee412 --- /dev/null +++ b/apis/kubernetes/v1alpha1/zz_secretbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendRole +func (mg *SecretBackendRole) GetTerraformResourceType() string { + return "vault_kubernetes_secret_backend_role" +} + +// GetConnectionDetailsMapping for this SecretBackendRole +func (tr *SecretBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendRole +func (tr *SecretBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendRole +func (tr *SecretBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendRole +func (tr *SecretBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendRole +func (tr *SecretBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go b/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go index 452145b4..2d19c5c6 100755 --- a/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go @@ -15,24 +15,44 @@ import ( type SecretBackendRoleInitParameters struct { + // A label selector for Kubernetes namespaces + // in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + // of type LabelSelector. + // If set with allowed_kubernetes_namespace, the conditions are ORed. + // A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed. + AllowedKubernetesNamespaceSelector *string `json:"allowedKubernetesNamespaceSelector,omitempty" tf:"allowed_kubernetes_namespace_selector,omitempty"` + // The list of Kubernetes namespaces this role - // can generate credentials for. If set to * all namespaces are allowed. - // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. + // can generate credentials for. If set to * all namespaces are allowed. If set with + // allowed_kubernetes_namespace_selector, the conditions are ORed. + // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed. AllowedKubernetesNamespaces []*string `json:"allowedKubernetesNamespaces,omitempty" tf:"allowed_kubernetes_namespaces,omitempty"` // The path of the Kubernetes Secrets Engine backend mount to create // the role in. // The mount path for the Kubernetes secrets engine. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/kubernetes/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in kubernetes to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in kubernetes to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Additional annotations to apply to all generated // Kubernetes objects. // Additional annotations to apply to all generated Kubernetes objects. + // +mapType=granular ExtraAnnotations map[string]*string `json:"extraAnnotations,omitempty" tf:"extra_annotations,omitempty"` // Additional labels to apply to all generated Kubernetes // objects. // Additional labels to apply to all generated Kubernetes objects. + // +mapType=granular ExtraLabels map[string]*string `json:"extraLabels,omitempty" tf:"extra_labels,omitempty"` // The Role or ClusterRole rules to use when generating @@ -87,9 +107,17 @@ type SecretBackendRoleInitParameters struct { type SecretBackendRoleObservation struct { + // A label selector for Kubernetes namespaces + // in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + // of type LabelSelector. + // If set with allowed_kubernetes_namespace, the conditions are ORed. + // A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed. + AllowedKubernetesNamespaceSelector *string `json:"allowedKubernetesNamespaceSelector,omitempty" tf:"allowed_kubernetes_namespace_selector,omitempty"` + // The list of Kubernetes namespaces this role - // can generate credentials for. If set to * all namespaces are allowed. - // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. + // can generate credentials for. If set to * all namespaces are allowed. If set with + // allowed_kubernetes_namespace_selector, the conditions are ORed. + // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed. AllowedKubernetesNamespaces []*string `json:"allowedKubernetesNamespaces,omitempty" tf:"allowed_kubernetes_namespaces,omitempty"` // The path of the Kubernetes Secrets Engine backend mount to create @@ -100,11 +128,13 @@ type SecretBackendRoleObservation struct { // Additional annotations to apply to all generated // Kubernetes objects. // Additional annotations to apply to all generated Kubernetes objects. + // +mapType=granular ExtraAnnotations map[string]*string `json:"extraAnnotations,omitempty" tf:"extra_annotations,omitempty"` // Additional labels to apply to all generated Kubernetes // objects. // Additional labels to apply to all generated Kubernetes objects. + // +mapType=granular ExtraLabels map[string]*string `json:"extraLabels,omitempty" tf:"extra_labels,omitempty"` // The Role or ClusterRole rules to use when generating @@ -161,28 +191,49 @@ type SecretBackendRoleObservation struct { type SecretBackendRoleParameters struct { + // A label selector for Kubernetes namespaces + // in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + // of type LabelSelector. + // If set with allowed_kubernetes_namespace, the conditions are ORed. + // A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed. + // +kubebuilder:validation:Optional + AllowedKubernetesNamespaceSelector *string `json:"allowedKubernetesNamespaceSelector,omitempty" tf:"allowed_kubernetes_namespace_selector,omitempty"` + // The list of Kubernetes namespaces this role - // can generate credentials for. If set to * all namespaces are allowed. - // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. + // can generate credentials for. If set to * all namespaces are allowed. If set with + // allowed_kubernetes_namespace_selector, the conditions are ORed. + // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed. // +kubebuilder:validation:Optional AllowedKubernetesNamespaces []*string `json:"allowedKubernetesNamespaces,omitempty" tf:"allowed_kubernetes_namespaces,omitempty"` // The path of the Kubernetes Secrets Engine backend mount to create // the role in. // The mount path for the Kubernetes secrets engine. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/kubernetes/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in kubernetes to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in kubernetes to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Additional annotations to apply to all generated // Kubernetes objects. // Additional annotations to apply to all generated Kubernetes objects. // +kubebuilder:validation:Optional + // +mapType=granular ExtraAnnotations map[string]*string `json:"extraAnnotations,omitempty" tf:"extra_annotations,omitempty"` // Additional labels to apply to all generated Kubernetes // objects. // Additional labels to apply to all generated Kubernetes objects. // +kubebuilder:validation:Optional + // +mapType=granular ExtraLabels map[string]*string `json:"extraLabels,omitempty" tf:"extra_labels,omitempty"` // The Role or ClusterRole rules to use when generating @@ -248,9 +299,8 @@ type SecretBackendRoleParameters struct { type SecretBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -269,20 +319,19 @@ type SecretBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendRole is the Schema for the SecretBackendRoles API. Creates a role for the Kubernetes Secrets Engine in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.allowedKubernetesNamespaces) || has(self.initProvider.allowedKubernetesNamespaces)",message="allowedKubernetesNamespaces is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec SecretBackendRoleSpec `json:"spec"` Status SecretBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/kv/v1alpha1/zz_generated.conversion_hubs.go b/apis/kv/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..40cee9fc --- /dev/null +++ b/apis/kv/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,16 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Secret) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendV2) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretV2) Hub() {} diff --git a/apis/kv/v1alpha1/zz_generated.deepcopy.go b/apis/kv/v1alpha1/zz_generated.deepcopy.go index e2e213f5..133bd470 100644 --- a/apis/kv/v1alpha1/zz_generated.deepcopy.go +++ b/apis/kv/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -29,7 +29,8 @@ func (in *CustomMetadataInitParameters) DeepCopyInto(out *CustomMetadataInitPara if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -74,7 +75,8 @@ func (in *CustomMetadataObservation) DeepCopyInto(out *CustomMetadataObservation if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -119,7 +121,8 @@ func (in *CustomMetadataParameters) DeepCopyInto(out *CustomMetadataParameters) if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -225,6 +228,16 @@ func (in *SecretBackendV2InitParameters) DeepCopyInto(out *SecretBackendV2InitPa *out = new(string) **out = **in } + if in.MountRef != nil { + in, out := &in.MountRef, &out.MountRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountSelector != nil { + in, out := &in.MountSelector, &out.MountSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -342,6 +355,16 @@ func (in *SecretBackendV2Parameters) DeepCopyInto(out *SecretBackendV2Parameters *out = new(string) **out = **in } + if in.MountRef != nil { + in, out := &in.MountRef, &out.MountRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountSelector != nil { + in, out := &in.MountSelector, &out.MountSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -397,6 +420,7 @@ func (in *SecretBackendV2Status) DeepCopy() *SecretBackendV2Status { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretInitParameters) DeepCopyInto(out *SecretInitParameters) { *out = *in + out.DataJSONSecretRef = in.DataJSONSecretRef if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -584,6 +608,7 @@ func (in *SecretV2InitParameters) DeepCopyInto(out *SecretV2InitParameters) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + out.DataJSONSecretRef = in.DataJSONSecretRef if in.DeleteAllVersions != nil { in, out := &in.DeleteAllVersions, &out.DeleteAllVersions *out = new(bool) @@ -599,6 +624,16 @@ func (in *SecretV2InitParameters) DeepCopyInto(out *SecretV2InitParameters) { *out = new(string) **out = **in } + if in.MountRef != nil { + in, out := &in.MountRef, &out.MountRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountSelector != nil { + in, out := &in.MountSelector, &out.MountSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -617,7 +652,8 @@ func (in *SecretV2InitParameters) DeepCopyInto(out *SecretV2InitParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -706,7 +742,8 @@ func (in *SecretV2Observation) DeepCopyInto(out *SecretV2Observation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -736,7 +773,8 @@ func (in *SecretV2Observation) DeepCopyInto(out *SecretV2Observation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -791,6 +829,16 @@ func (in *SecretV2Parameters) DeepCopyInto(out *SecretV2Parameters) { *out = new(string) **out = **in } + if in.MountRef != nil { + in, out := &in.MountRef, &out.MountRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountSelector != nil { + in, out := &in.MountSelector, &out.MountSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -809,7 +857,8 @@ func (in *SecretV2Parameters) DeepCopyInto(out *SecretV2Parameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } diff --git a/apis/kv/v1alpha1/zz_generated.managed.go b/apis/kv/v1alpha1/zz_generated.managed.go index 95e2488e..8bad3aa3 100644 --- a/apis/kv/v1alpha1/zz_generated.managed.go +++ b/apis/kv/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Secret) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Secret. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Secret) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Secret. func (mg *Secret) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Secret) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Secret. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Secret) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Secret. func (mg *Secret) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SecretBackendV2) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendV2. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendV2) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendV2. func (mg *SecretBackendV2) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SecretBackendV2) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendV2. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendV2) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendV2. func (mg *SecretBackendV2) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *SecretV2) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretV2. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretV2) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretV2. func (mg *SecretV2) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *SecretV2) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretV2. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretV2) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretV2. func (mg *SecretV2) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/kv/v1alpha1/zz_generated.resolvers.go b/apis/kv/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..ccbaadae --- /dev/null +++ b/apis/kv/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,99 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretBackendV2. +func (mg *SecretBackendV2) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Mount), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.MountRef, + Selector: mg.Spec.ForProvider.MountSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Mount") + } + mg.Spec.ForProvider.Mount = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.MountRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Mount), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.MountRef, + Selector: mg.Spec.InitProvider.MountSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Mount") + } + mg.Spec.InitProvider.Mount = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.MountRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretV2. +func (mg *SecretV2) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Mount), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.MountRef, + Selector: mg.Spec.ForProvider.MountSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Mount") + } + mg.Spec.ForProvider.Mount = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.MountRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Mount), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.MountRef, + Selector: mg.Spec.InitProvider.MountSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Mount") + } + mg.Spec.InitProvider.Mount = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.MountRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/kv/v1alpha1/zz_generated_terraformed.go b/apis/kv/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index c3c99575..00000000 --- a/apis/kv/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,266 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this Secret -func (mg *Secret) GetTerraformResourceType() string { - return "vault_kv_secret" -} - -// GetConnectionDetailsMapping for this Secret -func (tr *Secret) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"data": "status.atProvider.data", "data_json": "spec.forProvider.dataJsonSecretRef"} -} - -// GetObservation of this Secret -func (tr *Secret) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Secret -func (tr *Secret) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Secret -func (tr *Secret) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Secret -func (tr *Secret) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Secret -func (tr *Secret) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Secret -func (tr *Secret) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Secret using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Secret) LateInitialize(attrs []byte) (bool, error) { - params := &SecretParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Secret) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendV2 -func (mg *SecretBackendV2) GetTerraformResourceType() string { - return "vault_kv_secret_backend_v2" -} - -// GetConnectionDetailsMapping for this SecretBackendV2 -func (tr *SecretBackendV2) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendV2 -func (tr *SecretBackendV2) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendV2 -func (tr *SecretBackendV2) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendV2 -func (tr *SecretBackendV2) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendV2 -func (tr *SecretBackendV2) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendV2 -func (tr *SecretBackendV2) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendV2 -func (tr *SecretBackendV2) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendV2 using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendV2) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendV2Parameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendV2) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretV2 -func (mg *SecretV2) GetTerraformResourceType() string { - return "vault_kv_secret_v2" -} - -// GetConnectionDetailsMapping for this SecretV2 -func (tr *SecretV2) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"data": "status.atProvider.data", "data_json": "spec.forProvider.dataJsonSecretRef"} -} - -// GetObservation of this SecretV2 -func (tr *SecretV2) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretV2 -func (tr *SecretV2) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretV2 -func (tr *SecretV2) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretV2 -func (tr *SecretV2) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretV2 -func (tr *SecretV2) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretV2 -func (tr *SecretV2) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretV2 using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretV2) LateInitialize(attrs []byte) (bool, error) { - params := &SecretV2Parameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretV2) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/kv/v1alpha1/zz_secret_terraformed.go b/apis/kv/v1alpha1/zz_secret_terraformed.go new file mode 100755 index 00000000..d888c23a --- /dev/null +++ b/apis/kv/v1alpha1/zz_secret_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Secret +func (mg *Secret) GetTerraformResourceType() string { + return "vault_kv_secret" +} + +// GetConnectionDetailsMapping for this Secret +func (tr *Secret) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"data": "status.atProvider.data", "data_json": "dataJsonSecretRef"} +} + +// GetObservation of this Secret +func (tr *Secret) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Secret +func (tr *Secret) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Secret +func (tr *Secret) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Secret +func (tr *Secret) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Secret +func (tr *Secret) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Secret +func (tr *Secret) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Secret +func (tr *Secret) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Secret using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Secret) LateInitialize(attrs []byte) (bool, error) { + params := &SecretParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Secret) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/kv/v1alpha1/zz_secret_types.go b/apis/kv/v1alpha1/zz_secret_types.go index 16a94d9b..62c22013 100755 --- a/apis/kv/v1alpha1/zz_secret_types.go +++ b/apis/kv/v1alpha1/zz_secret_types.go @@ -15,6 +15,11 @@ import ( type SecretInitParameters struct { + // JSON-encoded string that will be + // written as the secret data at the given path. + // JSON-encoded secret data to write. + DataJSONSecretRef v1.SecretKeySelector `json:"dataJsonSecretRef" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -68,9 +73,8 @@ type SecretParameters struct { type SecretSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -89,19 +93,20 @@ type SecretStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Secret is the Schema for the Secrets API. Writes a KV-V1 secret to a given path in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Secret struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="spec.forProvider.dataJsonSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || (has(self.initProvider) && has(self.initProvider.path))",message="spec.forProvider.path is a required parameter" Spec SecretSpec `json:"spec"` Status SecretStatus `json:"status,omitempty"` } diff --git a/apis/kv/v1alpha1/zz_secretbackendv2_terraformed.go b/apis/kv/v1alpha1/zz_secretbackendv2_terraformed.go new file mode 100755 index 00000000..96b4e351 --- /dev/null +++ b/apis/kv/v1alpha1/zz_secretbackendv2_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendV2 +func (mg *SecretBackendV2) GetTerraformResourceType() string { + return "vault_kv_secret_backend_v2" +} + +// GetConnectionDetailsMapping for this SecretBackendV2 +func (tr *SecretBackendV2) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendV2 +func (tr *SecretBackendV2) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendV2 +func (tr *SecretBackendV2) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendV2 +func (tr *SecretBackendV2) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendV2 +func (tr *SecretBackendV2) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendV2 +func (tr *SecretBackendV2) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendV2 +func (tr *SecretBackendV2) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendV2 +func (tr *SecretBackendV2) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendV2 using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendV2) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendV2Parameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendV2) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/kv/v1alpha1/zz_secretbackendv2_types.go b/apis/kv/v1alpha1/zz_secretbackendv2_types.go index ea406af2..cb332fe7 100755 --- a/apis/kv/v1alpha1/zz_secretbackendv2_types.go +++ b/apis/kv/v1alpha1/zz_secretbackendv2_types.go @@ -31,8 +31,18 @@ type SecretBackendV2InitParameters struct { // Path where KV-V2 engine is mounted. // Path where KV-V2 engine is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Mount *string `json:"mount,omitempty" tf:"mount,omitempty"` + // Reference to a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountRef *v1.Reference `json:"mountRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountSelector *v1.Selector `json:"mountSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -92,9 +102,19 @@ type SecretBackendV2Parameters struct { // Path where KV-V2 engine is mounted. // Path where KV-V2 engine is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Mount *string `json:"mount,omitempty" tf:"mount,omitempty"` + // Reference to a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountRef *v1.Reference `json:"mountRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountSelector *v1.Selector `json:"mountSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -108,9 +128,8 @@ type SecretBackendV2Parameters struct { type SecretBackendV2Spec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendV2Parameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -129,20 +148,20 @@ type SecretBackendV2Status struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendV2 is the Schema for the SecretBackendV2s API. Configures KV-V2 backend level settings that are applied to every key in the key-value store. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendV2 struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mount) || has(self.initProvider.mount)",message="mount is a required parameter" - Spec SecretBackendV2Spec `json:"spec"` - Status SecretBackendV2Status `json:"status,omitempty"` + Spec SecretBackendV2Spec `json:"spec"` + Status SecretBackendV2Status `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/kv/v1alpha1/zz_secretv2_terraformed.go b/apis/kv/v1alpha1/zz_secretv2_terraformed.go new file mode 100755 index 00000000..6c838785 --- /dev/null +++ b/apis/kv/v1alpha1/zz_secretv2_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretV2 +func (mg *SecretV2) GetTerraformResourceType() string { + return "vault_kv_secret_v2" +} + +// GetConnectionDetailsMapping for this SecretV2 +func (tr *SecretV2) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"data": "status.atProvider.data", "data_json": "dataJsonSecretRef"} +} + +// GetObservation of this SecretV2 +func (tr *SecretV2) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretV2 +func (tr *SecretV2) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretV2 +func (tr *SecretV2) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretV2 +func (tr *SecretV2) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretV2 +func (tr *SecretV2) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretV2 +func (tr *SecretV2) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretV2 +func (tr *SecretV2) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretV2 using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretV2) LateInitialize(attrs []byte) (bool, error) { + params := &SecretV2Parameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretV2) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/kv/v1alpha1/zz_secretv2_types.go b/apis/kv/v1alpha1/zz_secretv2_types.go index 8e76708c..7a266c12 100755 --- a/apis/kv/v1alpha1/zz_secretv2_types.go +++ b/apis/kv/v1alpha1/zz_secretv2_types.go @@ -22,6 +22,7 @@ type CustomMetadataInitParameters struct { // A string to string map describing the secret. // A map of arbitrary string to string valued user-provided metadata meant to describe the secret. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // If set, specifies the length of time before @@ -43,6 +44,7 @@ type CustomMetadataObservation struct { // A string to string map describing the secret. // A map of arbitrary string to string valued user-provided metadata meant to describe the secret. + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // If set, specifies the length of time before @@ -66,6 +68,7 @@ type CustomMetadataParameters struct { // A string to string map describing the secret. // A map of arbitrary string to string valued user-provided metadata meant to describe the secret. // +kubebuilder:validation:Optional + // +mapType=granular Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` // If set, specifies the length of time before @@ -95,6 +98,11 @@ type SecretV2InitParameters struct { // Custom metadata to be set for the secret. CustomMetadata []CustomMetadataInitParameters `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"` + // JSON-encoded string that will be + // written as the secret data at the given path. + // JSON-encoded secret data to write. + DataJSONSecretRef v1.SecretKeySelector `json:"dataJsonSecretRef" tf:"-"` + // If set to true, permanently deletes all // versions for the specified key. // If set to true, permanently deletes all versions for the specified key. @@ -107,8 +115,18 @@ type SecretV2InitParameters struct { // Path where KV-V2 engine is mounted. // Path where KV-V2 engine is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Mount *string `json:"mount,omitempty" tf:"mount,omitempty"` + // Reference to a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountRef *v1.Reference `json:"mountRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountSelector *v1.Selector `json:"mountSelector,omitempty" tf:"-"` + // Full name of the secret. For a nested secret // the name is the nested path excluding the mount and data // prefix. For example, for a secret at kvv2/data/foo/bar/baz @@ -125,6 +143,7 @@ type SecretV2InitParameters struct { // An object that holds option settings. // An object that holds option settings. + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` } @@ -157,6 +176,7 @@ type SecretV2Observation struct { // Metadata associated with this secret read from Vault. // Metadata associated with this secret read from Vault. + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // Path where KV-V2 engine is mounted. @@ -179,6 +199,7 @@ type SecretV2Observation struct { // An object that holds option settings. // An object that holds option settings. + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` // Full path where the KV-V2 secret will be written. @@ -223,9 +244,19 @@ type SecretV2Parameters struct { // Path where KV-V2 engine is mounted. // Path where KV-V2 engine is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Mount *string `json:"mount,omitempty" tf:"mount,omitempty"` + // Reference to a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountRef *v1.Reference `json:"mountRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountSelector *v1.Selector `json:"mountSelector,omitempty" tf:"-"` + // Full name of the secret. For a nested secret // the name is the nested path excluding the mount and data // prefix. For example, for a secret at kvv2/data/foo/bar/baz @@ -245,6 +276,7 @@ type SecretV2Parameters struct { // An object that holds option settings. // An object that holds option settings. // +kubebuilder:validation:Optional + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` } @@ -252,9 +284,8 @@ type SecretV2Parameters struct { type SecretV2Spec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretV2Parameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -273,20 +304,20 @@ type SecretV2Status struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretV2 is the Schema for the SecretV2s API. Writes a KV-V2 secret to a given path in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretV2 struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="dataJsonSecretRef is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mount) || has(self.initProvider.mount)",message="mount is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)",message="spec.forProvider.dataJsonSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec SecretV2Spec `json:"spec"` Status SecretV2Status `json:"status,omitempty"` } diff --git a/apis/ldap/v1alpha1/zz_authbackend_terraformed.go b/apis/ldap/v1alpha1/zz_authbackend_terraformed.go new file mode 100755 index 00000000..bfb83d44 --- /dev/null +++ b/apis/ldap/v1alpha1/zz_authbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackend +func (mg *AuthBackend) GetTerraformResourceType() string { + return "vault_ldap_auth_backend" +} + +// GetConnectionDetailsMapping for this AuthBackend +func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"bindpass": "bindpassSecretRef", "client_tls_key": "clientTlsKeySecretRef"} +} + +// GetObservation of this AuthBackend +func (tr *AuthBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackend +func (tr *AuthBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackend +func (tr *AuthBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackend +func (tr *AuthBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackend +func (tr *AuthBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackend +func (tr *AuthBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackend +func (tr *AuthBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackend) GetTerraformSchemaVersion() int { + return 2 +} diff --git a/apis/ldap/v1alpha1/zz_authbackend_types.go b/apis/ldap/v1alpha1/zz_authbackend_types.go index 85eabcb4..979a872c 100755 --- a/apis/ldap/v1alpha1/zz_authbackend_types.go +++ b/apis/ldap/v1alpha1/zz_authbackend_types.go @@ -16,12 +16,16 @@ import ( type AuthBackendInitParameters struct { Binddn *string `json:"binddn,omitempty" tf:"binddn,omitempty"` + BindpassSecretRef *v1.SecretKeySelector `json:"bindpassSecretRef,omitempty" tf:"-"` + CaseSensitiveNames *bool `json:"caseSensitiveNames,omitempty" tf:"case_sensitive_names,omitempty"` Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"` ClientTLSCert *string `json:"clientTlsCert,omitempty" tf:"client_tls_cert,omitempty"` + ClientTLSKeySecretRef *v1.SecretKeySelector `json:"clientTlsKeySecretRef,omitempty" tf:"-"` + DenyNullBind *bool `json:"denyNullBind,omitempty" tf:"deny_null_bind,omitempty"` Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -56,6 +60,7 @@ type AuthBackendInitParameters struct { TLSMinVersion *string `json:"tlsMinVersion,omitempty" tf:"tls_min_version,omitempty"` // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // Generated Token's Explicit Maximum TTL in seconds @@ -74,6 +79,7 @@ type AuthBackendInitParameters struct { TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The initial ttl of the token to generate in seconds @@ -147,6 +153,7 @@ type AuthBackendObservation struct { TLSMinVersion *string `json:"tlsMinVersion,omitempty" tf:"tls_min_version,omitempty"` // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // Generated Token's Explicit Maximum TTL in seconds @@ -165,6 +172,7 @@ type AuthBackendObservation struct { TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The initial ttl of the token to generate in seconds @@ -259,6 +267,7 @@ type AuthBackendParameters struct { // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // Generated Token's Explicit Maximum TTL in seconds @@ -283,6 +292,7 @@ type AuthBackendParameters struct { // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The initial ttl of the token to generate in seconds @@ -320,9 +330,8 @@ type AuthBackendParameters struct { type AuthBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -341,18 +350,19 @@ type AuthBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackend is the Schema for the AuthBackends API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.url) || has(self.initProvider.url)",message="url is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.url) || (has(self.initProvider) && has(self.initProvider.url))",message="spec.forProvider.url is a required parameter" Spec AuthBackendSpec `json:"spec"` Status AuthBackendStatus `json:"status,omitempty"` } diff --git a/apis/ldap/v1alpha1/zz_authbackendgroup_terraformed.go b/apis/ldap/v1alpha1/zz_authbackendgroup_terraformed.go new file mode 100755 index 00000000..9ea1d8c0 --- /dev/null +++ b/apis/ldap/v1alpha1/zz_authbackendgroup_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendGroup +func (mg *AuthBackendGroup) GetTerraformResourceType() string { + return "vault_ldap_auth_backend_group" +} + +// GetConnectionDetailsMapping for this AuthBackendGroup +func (tr *AuthBackendGroup) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendGroup +func (tr *AuthBackendGroup) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendGroup +func (tr *AuthBackendGroup) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendGroup +func (tr *AuthBackendGroup) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendGroup +func (tr *AuthBackendGroup) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendGroup +func (tr *AuthBackendGroup) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendGroup +func (tr *AuthBackendGroup) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendGroup +func (tr *AuthBackendGroup) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendGroup using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendGroup) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendGroupParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendGroup) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/ldap/v1alpha1/zz_authbackendgroup_types.go b/apis/ldap/v1alpha1/zz_authbackendgroup_types.go index 143bdbc1..e097aac3 100755 --- a/apis/ldap/v1alpha1/zz_authbackendgroup_types.go +++ b/apis/ldap/v1alpha1/zz_authbackendgroup_types.go @@ -21,6 +21,7 @@ type AuthBackendGroupInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -34,6 +35,7 @@ type AuthBackendGroupObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -50,6 +52,7 @@ type AuthBackendGroupParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -57,9 +60,8 @@ type AuthBackendGroupParameters struct { type AuthBackendGroupSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendGroupParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -78,18 +80,19 @@ type AuthBackendGroupStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendGroup is the Schema for the AuthBackendGroups API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendGroup struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupname) || has(self.initProvider.groupname)",message="groupname is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupname) || (has(self.initProvider) && has(self.initProvider.groupname))",message="spec.forProvider.groupname is a required parameter" Spec AuthBackendGroupSpec `json:"spec"` Status AuthBackendGroupStatus `json:"status,omitempty"` } diff --git a/apis/ldap/v1alpha1/zz_authbackenduser_terraformed.go b/apis/ldap/v1alpha1/zz_authbackenduser_terraformed.go new file mode 100755 index 00000000..6d5eea28 --- /dev/null +++ b/apis/ldap/v1alpha1/zz_authbackenduser_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendUser +func (mg *AuthBackendUser) GetTerraformResourceType() string { + return "vault_ldap_auth_backend_user" +} + +// GetConnectionDetailsMapping for this AuthBackendUser +func (tr *AuthBackendUser) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendUser +func (tr *AuthBackendUser) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendUser +func (tr *AuthBackendUser) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendUser +func (tr *AuthBackendUser) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendUser +func (tr *AuthBackendUser) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendUser +func (tr *AuthBackendUser) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendUser +func (tr *AuthBackendUser) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendUser +func (tr *AuthBackendUser) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendUser using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendUser) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendUserParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendUser) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/ldap/v1alpha1/zz_authbackenduser_types.go b/apis/ldap/v1alpha1/zz_authbackenduser_types.go index 7015ba6e..e8c7d003 100755 --- a/apis/ldap/v1alpha1/zz_authbackenduser_types.go +++ b/apis/ldap/v1alpha1/zz_authbackenduser_types.go @@ -16,11 +16,13 @@ import ( type AuthBackendUserInitParameters struct { Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // +listType=set Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"` // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -29,6 +31,7 @@ type AuthBackendUserInitParameters struct { type AuthBackendUserObservation struct { Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // +listType=set Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -36,6 +39,7 @@ type AuthBackendUserObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -47,6 +51,7 @@ type AuthBackendUserParameters struct { Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` // +kubebuilder:validation:Optional + // +listType=set Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"` // Target namespace. (requires Enterprise) @@ -54,6 +59,7 @@ type AuthBackendUserParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // +kubebuilder:validation:Optional @@ -64,9 +70,8 @@ type AuthBackendUserParameters struct { type AuthBackendUserSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendUserParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -85,18 +90,19 @@ type AuthBackendUserStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendUser is the Schema for the AuthBackendUsers API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendUser struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.username) || has(self.initProvider.username)",message="username is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.username) || (has(self.initProvider) && has(self.initProvider.username))",message="spec.forProvider.username is a required parameter" Spec AuthBackendUserSpec `json:"spec"` Status AuthBackendUserStatus `json:"status,omitempty"` } diff --git a/apis/ldap/v1alpha1/zz_generated.conversion_hubs.go b/apis/ldap/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..a7987c3b --- /dev/null +++ b/apis/ldap/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,16 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendGroup) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendUser) Hub() {} diff --git a/apis/ldap/v1alpha1/zz_generated.deepcopy.go b/apis/ldap/v1alpha1/zz_generated.deepcopy.go index 3e1fa648..002f8076 100644 --- a/apis/ldap/v1alpha1/zz_generated.deepcopy.go +++ b/apis/ldap/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -271,6 +270,11 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(string) **out = **in } + if in.BindpassSecretRef != nil { + in, out := &in.BindpassSecretRef, &out.BindpassSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.CaseSensitiveNames != nil { in, out := &in.CaseSensitiveNames, &out.CaseSensitiveNames *out = new(bool) @@ -286,6 +290,11 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(string) **out = **in } + if in.ClientTLSKeySecretRef != nil { + in, out := &in.ClientTLSKeySecretRef, &out.ClientTLSKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.DenyNullBind != nil { in, out := &in.DenyNullBind, &out.DenyNullBind *out = new(bool) diff --git a/apis/ldap/v1alpha1/zz_generated.managed.go b/apis/ldap/v1alpha1/zz_generated.managed.go index ae342697..82176535 100644 --- a/apis/ldap/v1alpha1/zz_generated.managed.go +++ b/apis/ldap/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackend. func (mg *AuthBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackend. func (mg *AuthBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *AuthBackendGroup) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendGroup. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendGroup) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendGroup. func (mg *AuthBackendGroup) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *AuthBackendGroup) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendGroup. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendGroup) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendGroup. func (mg *AuthBackendGroup) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *AuthBackendUser) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendUser. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendUser) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendUser. func (mg *AuthBackendUser) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *AuthBackendUser) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendUser. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendUser) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendUser. func (mg *AuthBackendUser) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/ldap/v1alpha1/zz_generated_terraformed.go b/apis/ldap/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index 0fa258bd..00000000 --- a/apis/ldap/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,266 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this AuthBackend -func (mg *AuthBackend) GetTerraformResourceType() string { - return "vault_ldap_auth_backend" -} - -// GetConnectionDetailsMapping for this AuthBackend -func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"bindpass": "spec.forProvider.bindpassSecretRef", "client_tls_key": "spec.forProvider.clientTlsKeySecretRef"} -} - -// GetObservation of this AuthBackend -func (tr *AuthBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackend -func (tr *AuthBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackend -func (tr *AuthBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackend -func (tr *AuthBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackend -func (tr *AuthBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackend -func (tr *AuthBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackend) GetTerraformSchemaVersion() int { - return 2 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendGroup -func (mg *AuthBackendGroup) GetTerraformResourceType() string { - return "vault_ldap_auth_backend_group" -} - -// GetConnectionDetailsMapping for this AuthBackendGroup -func (tr *AuthBackendGroup) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendGroup -func (tr *AuthBackendGroup) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendGroup -func (tr *AuthBackendGroup) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendGroup -func (tr *AuthBackendGroup) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendGroup -func (tr *AuthBackendGroup) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendGroup -func (tr *AuthBackendGroup) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendGroup -func (tr *AuthBackendGroup) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendGroup using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendGroup) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendGroupParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendGroup) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendUser -func (mg *AuthBackendUser) GetTerraformResourceType() string { - return "vault_ldap_auth_backend_user" -} - -// GetConnectionDetailsMapping for this AuthBackendUser -func (tr *AuthBackendUser) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendUser -func (tr *AuthBackendUser) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendUser -func (tr *AuthBackendUser) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendUser -func (tr *AuthBackendUser) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendUser -func (tr *AuthBackendUser) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendUser -func (tr *AuthBackendUser) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendUser -func (tr *AuthBackendUser) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendUser using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendUser) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendUserParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendUser) GetTerraformSchemaVersion() int { - return 1 -} diff --git a/apis/managed/v1alpha1/zz_generated.conversion_hubs.go b/apis/managed/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..e94003ce --- /dev/null +++ b/apis/managed/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Keys) Hub() {} diff --git a/apis/managed/v1alpha1/zz_generated.deepcopy.go b/apis/managed/v1alpha1/zz_generated.deepcopy.go index 25e6da5c..7eadba8d 100644 --- a/apis/managed/v1alpha1/zz_generated.deepcopy.go +++ b/apis/managed/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. diff --git a/apis/managed/v1alpha1/zz_generated.managed.go b/apis/managed/v1alpha1/zz_generated.managed.go index 8c52fe3a..8ade75ab 100644 --- a/apis/managed/v1alpha1/zz_generated.managed.go +++ b/apis/managed/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Keys) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Keys. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Keys) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Keys. func (mg *Keys) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Keys) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Keys. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Keys) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Keys. func (mg *Keys) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/managed/v1alpha1/zz_generated_terraformed.go b/apis/managed/v1alpha1/zz_keys_terraformed.go similarity index 69% rename from apis/managed/v1alpha1/zz_generated_terraformed.go rename to apis/managed/v1alpha1/zz_keys_terraformed.go index 97517724..4a648a11 100755 --- a/apis/managed/v1alpha1/zz_generated_terraformed.go +++ b/apis/managed/v1alpha1/zz_keys_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this Keys @@ -79,6 +80,36 @@ func (tr *Keys) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this Keys +func (tr *Keys) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this Keys using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *Keys) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/managed/v1alpha1/zz_keys_types.go b/apis/managed/v1alpha1/zz_keys_types.go index 731a7ff4..5a426f67 100755 --- a/apis/managed/v1alpha1/zz_keys_types.go +++ b/apis/managed/v1alpha1/zz_keys_types.go @@ -145,7 +145,7 @@ type AwsParameters struct { // The AWS access key to use. // The AWS access key to use // +kubebuilder:validation:Optional - AccessKey *string `json:"accessKey,omitempty" tf:"access_key,omitempty"` + AccessKey *string `json:"accessKey" tf:"access_key,omitempty"` // If no existing key can be found in // the referenced backend, instructs Vault to generate a key within the backend. @@ -187,22 +187,22 @@ type AwsParameters struct { // An identifier for the key. // An identifier for the key // +kubebuilder:validation:Optional - KMSKey *string `json:"kmsKey,omitempty" tf:"kms_key,omitempty"` + KMSKey *string `json:"kmsKey" tf:"kms_key,omitempty"` // The size in bits for an RSA key. // The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' // +kubebuilder:validation:Optional - KeyBits *string `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + KeyBits *string `json:"keyBits" tf:"key_bits,omitempty"` // The type of key to use. // The type of key to use // +kubebuilder:validation:Optional - KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` + KeyType *string `json:"keyType" tf:"key_type,omitempty"` // A unique lowercase name that serves as identifying the key. // A unique lowercase name that serves as identifying the key // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The AWS region where the keys are stored (or will be stored). // The AWS region where the keys are stored (or will be stored) @@ -212,7 +212,7 @@ type AwsParameters struct { // The AWS access key to use. // The AWS secret key to use // +kubebuilder:validation:Optional - SecretKey *string `json:"secretKey,omitempty" tf:"secret_key,omitempty"` + SecretKey *string `json:"secretKey" tf:"secret_key,omitempty"` } type AzureInitParameters struct { @@ -379,12 +379,12 @@ type AzureParameters struct { // The client id for credentials to query the Azure APIs. // The client id for credentials to query the Azure APIs // +kubebuilder:validation:Optional - ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"` + ClientID *string `json:"clientId" tf:"client_id,omitempty"` // The client secret for credentials to query the Azure APIs. // The client secret for credentials to query the Azure APIs // +kubebuilder:validation:Optional - ClientSecret *string `json:"clientSecret,omitempty" tf:"client_secret,omitempty"` + ClientSecret *string `json:"clientSecret" tf:"client_secret,omitempty"` // The Azure Cloud environment API endpoints to use. // The Azure Cloud environment API endpoints to use @@ -399,17 +399,17 @@ type AzureParameters struct { // The Key Vault key to use for encryption and decryption. // The Key Vault key to use for encryption and decryption // +kubebuilder:validation:Optional - KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"` + KeyName *string `json:"keyName" tf:"key_name,omitempty"` // The type of key to use. // The type of key to use // +kubebuilder:validation:Optional - KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` + KeyType *string `json:"keyType" tf:"key_type,omitempty"` // A unique lowercase name that serves as identifying the key. // A unique lowercase name that serves as identifying the key // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The Azure Key Vault resource's DNS Suffix to connect to. // The Azure Key Vault resource's DNS Suffix to connect to @@ -419,12 +419,12 @@ type AzureParameters struct { // The tenant id for the Azure Active Directory organization. // The tenant id for the Azure Active Directory organization // +kubebuilder:validation:Optional - TenantID *string `json:"tenantId,omitempty" tf:"tenant_id,omitempty"` + TenantID *string `json:"tenantId" tf:"tenant_id,omitempty"` // The Key Vault vault to use for encryption and decryption. // The Key Vault vault to use the encryption keys for encryption and decryption // +kubebuilder:validation:Optional - VaultName *string `json:"vaultName,omitempty" tf:"vault_name,omitempty"` + VaultName *string `json:"vaultName" tf:"vault_name,omitempty"` } type KeysInitParameters struct { @@ -689,34 +689,34 @@ type PkcsParameters struct { // The id of a PKCS#11 key to use. // The id of a PKCS#11 key to use // +kubebuilder:validation:Optional - KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"` + KeyID *string `json:"keyId" tf:"key_id,omitempty"` // The label of the key to use. // The label of the key to use // +kubebuilder:validation:Optional - KeyLabel *string `json:"keyLabel,omitempty" tf:"key_label,omitempty"` + KeyLabel *string `json:"keyLabel" tf:"key_label,omitempty"` // The name of the kms_library stanza to use from Vault's config // to lookup the local library path. // The name of the kms_library stanza to use from Vault's config to lookup the local library path // +kubebuilder:validation:Optional - Library *string `json:"library,omitempty" tf:"library,omitempty"` + Library *string `json:"library" tf:"library,omitempty"` // The encryption/decryption mechanism to use, specified as a // hexadecimal (prefixed by 0x) string. // The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. // +kubebuilder:validation:Optional - Mechanism *string `json:"mechanism,omitempty" tf:"mechanism,omitempty"` + Mechanism *string `json:"mechanism" tf:"mechanism,omitempty"` // A unique lowercase name that serves as identifying the key. // A unique lowercase name that serves as identifying the key // +kubebuilder:validation:Optional - Name *string `json:"name,omitempty" tf:"name,omitempty"` + Name *string `json:"name" tf:"name,omitempty"` // The PIN for login. // The PIN for login // +kubebuilder:validation:Optional - Pin *string `json:"pin,omitempty" tf:"pin,omitempty"` + Pin *string `json:"pin" tf:"pin,omitempty"` // The slot number to use, specified as a string in a decimal format // (e.g. 2305843009213693953). @@ -734,9 +734,8 @@ type PkcsParameters struct { type KeysSpec struct { v1.ResourceSpec `json:",inline"` ForProvider KeysParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -755,13 +754,14 @@ type KeysStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Keys is the Schema for the Keyss API. Configures Managed Keys in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Keys struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/mfa/v1alpha1/zz_duo_terraformed.go b/apis/mfa/v1alpha1/zz_duo_terraformed.go new file mode 100755 index 00000000..df33f629 --- /dev/null +++ b/apis/mfa/v1alpha1/zz_duo_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Duo +func (mg *Duo) GetTerraformResourceType() string { + return "vault_mfa_duo" +} + +// GetConnectionDetailsMapping for this Duo +func (tr *Duo) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"integration_key": "integrationKeySecretRef", "secret_key": "secretKeySecretRef"} +} + +// GetObservation of this Duo +func (tr *Duo) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Duo +func (tr *Duo) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Duo +func (tr *Duo) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Duo +func (tr *Duo) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Duo +func (tr *Duo) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Duo +func (tr *Duo) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Duo +func (tr *Duo) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Duo using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Duo) LateInitialize(attrs []byte) (bool, error) { + params := &DuoParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Duo) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/mfa/v1alpha1/zz_duo_types.go b/apis/mfa/v1alpha1/zz_duo_types.go index 6622fb53..44bd8871 100755 --- a/apis/mfa/v1alpha1/zz_duo_types.go +++ b/apis/mfa/v1alpha1/zz_duo_types.go @@ -19,10 +19,24 @@ type DuoInitParameters struct { // API hostname for Duo. APIHostname *string `json:"apiHostname,omitempty" tf:"api_hostname,omitempty"` + // Integration key for Duo. + // Integration key for Duo. + IntegrationKeySecretRef v1.SecretKeySelector `json:"integrationKeySecretRef" tf:"-"` + // The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. // The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("accessor",true) MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"` + // Reference to a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorRef *v1.Reference `json:"mountAccessorRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorSelector *v1.Selector `json:"mountAccessorSelector,omitempty" tf:"-"` + // (string: ) – Name of the MFA method. // Name of the MFA method. Name *string `json:"name,omitempty" tf:"name,omitempty"` @@ -38,6 +52,10 @@ type DuoInitParameters struct { // Push information for Duo. PushInfo *string `json:"pushInfo,omitempty" tf:"push_info,omitempty"` + // Secret key for Duo. + // Secret key for Duo. + SecretKeySecretRef v1.SecretKeySelector `json:"secretKeySecretRef" tf:"-"` + // A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: // A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"` @@ -89,9 +107,19 @@ type DuoParameters struct { // The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. // The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("accessor",true) // +kubebuilder:validation:Optional MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"` + // Reference to a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorRef *v1.Reference `json:"mountAccessorRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorSelector *v1.Selector `json:"mountAccessorSelector,omitempty" tf:"-"` + // (string: ) – Name of the MFA method. // Name of the MFA method. // +kubebuilder:validation:Optional @@ -125,9 +153,8 @@ type DuoParameters struct { type DuoSpec struct { v1.ResourceSpec `json:",inline"` ForProvider DuoParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -146,22 +173,22 @@ type DuoStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Duo is the Schema for the Duos API. Managing the MFA Duo method configuration -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Duo struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiHostname) || has(self.initProvider.apiHostname)",message="apiHostname is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.integrationKeySecretRef)",message="integrationKeySecretRef is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || has(self.initProvider.mountAccessor)",message="mountAccessor is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.secretKeySecretRef)",message="secretKeySecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiHostname) || (has(self.initProvider) && has(self.initProvider.apiHostname))",message="spec.forProvider.apiHostname is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.integrationKeySecretRef)",message="spec.forProvider.integrationKeySecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.secretKeySecretRef)",message="spec.forProvider.secretKeySecretRef is a required parameter" Spec DuoSpec `json:"spec"` Status DuoStatus `json:"status,omitempty"` } diff --git a/apis/mfa/v1alpha1/zz_generated.conversion_hubs.go b/apis/mfa/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..e7895038 --- /dev/null +++ b/apis/mfa/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,19 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Duo) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Okta) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Pingid) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Totp) Hub() {} diff --git a/apis/mfa/v1alpha1/zz_generated.deepcopy.go b/apis/mfa/v1alpha1/zz_generated.deepcopy.go index 48961054..d3beedb5 100644 --- a/apis/mfa/v1alpha1/zz_generated.deepcopy.go +++ b/apis/mfa/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -48,11 +48,22 @@ func (in *DuoInitParameters) DeepCopyInto(out *DuoInitParameters) { *out = new(string) **out = **in } + out.IntegrationKeySecretRef = in.IntegrationKeySecretRef if in.MountAccessor != nil { in, out := &in.MountAccessor, &out.MountAccessor *out = new(string) **out = **in } + if in.MountAccessorRef != nil { + in, out := &in.MountAccessorRef, &out.MountAccessorRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountAccessorSelector != nil { + in, out := &in.MountAccessorSelector, &out.MountAccessorSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -68,6 +79,7 @@ func (in *DuoInitParameters) DeepCopyInto(out *DuoInitParameters) { *out = new(string) **out = **in } + out.SecretKeySecretRef = in.SecretKeySecretRef if in.UsernameFormat != nil { in, out := &in.UsernameFormat, &out.UsernameFormat *out = new(string) @@ -181,6 +193,16 @@ func (in *DuoParameters) DeepCopyInto(out *DuoParameters) { *out = new(string) **out = **in } + if in.MountAccessorRef != nil { + in, out := &in.MountAccessorRef, &out.MountAccessorRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountAccessorSelector != nil { + in, out := &in.MountAccessorSelector, &out.MountAccessorSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -279,6 +301,7 @@ func (in *Okta) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OktaInitParameters) DeepCopyInto(out *OktaInitParameters) { *out = *in + out.APITokenSecretRef = in.APITokenSecretRef if in.BaseURL != nil { in, out := &in.BaseURL, &out.BaseURL *out = new(string) @@ -289,6 +312,16 @@ func (in *OktaInitParameters) DeepCopyInto(out *OktaInitParameters) { *out = new(string) **out = **in } + if in.MountAccessorRef != nil { + in, out := &in.MountAccessorRef, &out.MountAccessorRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountAccessorSelector != nil { + in, out := &in.MountAccessorSelector, &out.MountAccessorSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -427,6 +460,16 @@ func (in *OktaParameters) DeepCopyInto(out *OktaParameters) { *out = new(string) **out = **in } + if in.MountAccessorRef != nil { + in, out := &in.MountAccessorRef, &out.MountAccessorRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountAccessorSelector != nil { + in, out := &in.MountAccessorSelector, &out.MountAccessorSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -534,6 +577,16 @@ func (in *PingidInitParameters) DeepCopyInto(out *PingidInitParameters) { *out = new(string) **out = **in } + if in.MountAccessorRef != nil { + in, out := &in.MountAccessorRef, &out.MountAccessorRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountAccessorSelector != nil { + in, out := &in.MountAccessorSelector, &out.MountAccessorSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -686,6 +739,16 @@ func (in *PingidParameters) DeepCopyInto(out *PingidParameters) { *out = new(string) **out = **in } + if in.MountAccessorRef != nil { + in, out := &in.MountAccessorRef, &out.MountAccessorRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountAccessorSelector != nil { + in, out := &in.MountAccessorSelector, &out.MountAccessorSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) diff --git a/apis/mfa/v1alpha1/zz_generated.managed.go b/apis/mfa/v1alpha1/zz_generated.managed.go index feb9c049..53583a18 100644 --- a/apis/mfa/v1alpha1/zz_generated.managed.go +++ b/apis/mfa/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Duo) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Duo. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Duo) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Duo. func (mg *Duo) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Duo) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Duo. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Duo) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Duo. func (mg *Duo) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *Okta) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Okta. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Okta) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Okta. func (mg *Okta) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *Okta) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Okta. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Okta) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Okta. func (mg *Okta) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *Pingid) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Pingid. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Pingid) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Pingid. func (mg *Pingid) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *Pingid) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Pingid. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Pingid) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Pingid. func (mg *Pingid) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -255,14 +207,6 @@ func (mg *Totp) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Totp. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Totp) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Totp. func (mg *Totp) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -293,14 +237,6 @@ func (mg *Totp) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Totp. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Totp) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Totp. func (mg *Totp) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/mfa/v1alpha1/zz_generated.resolvers.go b/apis/mfa/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..390f5776 --- /dev/null +++ b/apis/mfa/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,141 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/auth/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this Duo. +func (mg *Duo) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.MountAccessor), + Extract: resource.ExtractParamPath("accessor", true), + Reference: mg.Spec.ForProvider.MountAccessorRef, + Selector: mg.Spec.ForProvider.MountAccessorSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.MountAccessor") + } + mg.Spec.ForProvider.MountAccessor = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.MountAccessorRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.MountAccessor), + Extract: resource.ExtractParamPath("accessor", true), + Reference: mg.Spec.InitProvider.MountAccessorRef, + Selector: mg.Spec.InitProvider.MountAccessorSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.MountAccessor") + } + mg.Spec.InitProvider.MountAccessor = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.MountAccessorRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this Okta. +func (mg *Okta) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.MountAccessor), + Extract: resource.ExtractParamPath("accessor", true), + Reference: mg.Spec.ForProvider.MountAccessorRef, + Selector: mg.Spec.ForProvider.MountAccessorSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.MountAccessor") + } + mg.Spec.ForProvider.MountAccessor = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.MountAccessorRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.MountAccessor), + Extract: resource.ExtractParamPath("accessor", true), + Reference: mg.Spec.InitProvider.MountAccessorRef, + Selector: mg.Spec.InitProvider.MountAccessorSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.MountAccessor") + } + mg.Spec.InitProvider.MountAccessor = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.MountAccessorRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this Pingid. +func (mg *Pingid) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.MountAccessor), + Extract: resource.ExtractParamPath("accessor", true), + Reference: mg.Spec.ForProvider.MountAccessorRef, + Selector: mg.Spec.ForProvider.MountAccessorSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.MountAccessor") + } + mg.Spec.ForProvider.MountAccessor = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.MountAccessorRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.MountAccessor), + Extract: resource.ExtractParamPath("accessor", true), + Reference: mg.Spec.InitProvider.MountAccessorRef, + Selector: mg.Spec.InitProvider.MountAccessorSelector, + To: reference.To{ + List: &v1alpha1.BackendList{}, + Managed: &v1alpha1.Backend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.MountAccessor") + } + mg.Spec.InitProvider.MountAccessor = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.MountAccessorRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/mfa/v1alpha1/zz_generated_terraformed.go b/apis/mfa/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index 750bed18..00000000 --- a/apis/mfa/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,350 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this Duo -func (mg *Duo) GetTerraformResourceType() string { - return "vault_mfa_duo" -} - -// GetConnectionDetailsMapping for this Duo -func (tr *Duo) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"integration_key": "spec.forProvider.integrationKeySecretRef", "secret_key": "spec.forProvider.secretKeySecretRef"} -} - -// GetObservation of this Duo -func (tr *Duo) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Duo -func (tr *Duo) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Duo -func (tr *Duo) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Duo -func (tr *Duo) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Duo -func (tr *Duo) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Duo -func (tr *Duo) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Duo using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Duo) LateInitialize(attrs []byte) (bool, error) { - params := &DuoParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Duo) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Okta -func (mg *Okta) GetTerraformResourceType() string { - return "vault_mfa_okta" -} - -// GetConnectionDetailsMapping for this Okta -func (tr *Okta) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"api_token": "spec.forProvider.apiTokenSecretRef"} -} - -// GetObservation of this Okta -func (tr *Okta) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Okta -func (tr *Okta) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Okta -func (tr *Okta) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Okta -func (tr *Okta) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Okta -func (tr *Okta) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Okta -func (tr *Okta) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Okta using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Okta) LateInitialize(attrs []byte) (bool, error) { - params := &OktaParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Okta) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Pingid -func (mg *Pingid) GetTerraformResourceType() string { - return "vault_mfa_pingid" -} - -// GetConnectionDetailsMapping for this Pingid -func (tr *Pingid) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Pingid -func (tr *Pingid) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Pingid -func (tr *Pingid) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Pingid -func (tr *Pingid) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Pingid -func (tr *Pingid) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Pingid -func (tr *Pingid) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Pingid -func (tr *Pingid) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Pingid using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Pingid) LateInitialize(attrs []byte) (bool, error) { - params := &PingidParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Pingid) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Totp -func (mg *Totp) GetTerraformResourceType() string { - return "vault_mfa_totp" -} - -// GetConnectionDetailsMapping for this Totp -func (tr *Totp) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Totp -func (tr *Totp) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Totp -func (tr *Totp) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Totp -func (tr *Totp) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Totp -func (tr *Totp) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Totp -func (tr *Totp) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Totp -func (tr *Totp) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Totp using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Totp) LateInitialize(attrs []byte) (bool, error) { - params := &TotpParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Totp) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/mfa/v1alpha1/zz_okta_terraformed.go b/apis/mfa/v1alpha1/zz_okta_terraformed.go new file mode 100755 index 00000000..3763b601 --- /dev/null +++ b/apis/mfa/v1alpha1/zz_okta_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Okta +func (mg *Okta) GetTerraformResourceType() string { + return "vault_mfa_okta" +} + +// GetConnectionDetailsMapping for this Okta +func (tr *Okta) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"api_token": "apiTokenSecretRef"} +} + +// GetObservation of this Okta +func (tr *Okta) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Okta +func (tr *Okta) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Okta +func (tr *Okta) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Okta +func (tr *Okta) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Okta +func (tr *Okta) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Okta +func (tr *Okta) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Okta +func (tr *Okta) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Okta using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Okta) LateInitialize(attrs []byte) (bool, error) { + params := &OktaParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Okta) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/mfa/v1alpha1/zz_okta_types.go b/apis/mfa/v1alpha1/zz_okta_types.go index 611ecaaa..bcd2f593 100755 --- a/apis/mfa/v1alpha1/zz_okta_types.go +++ b/apis/mfa/v1alpha1/zz_okta_types.go @@ -15,6 +15,10 @@ import ( type OktaInitParameters struct { + // Okta API key. + // Okta API key. + APITokenSecretRef v1.SecretKeySelector `json:"apiTokenSecretRef" tf:"-"` + // If set, will be used as the base domain for API requests. Examples are okta.com, // oktapreview.com, and okta-emea.com. // If set, will be used as the base domain for API requests. @@ -23,8 +27,18 @@ type OktaInitParameters struct { // The mount to tie this method to for use in automatic mappings. // The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. // The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("accessor",true) MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"` + // Reference to a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorRef *v1.Reference `json:"mountAccessorRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorSelector *v1.Selector `json:"mountAccessorSelector,omitempty" tf:"-"` + // (string: ) – Name of the MFA method. // Name of the MFA method. Name *string `json:"name,omitempty" tf:"name,omitempty"` @@ -109,9 +123,19 @@ type OktaParameters struct { // The mount to tie this method to for use in automatic mappings. // The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. // The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("accessor",true) // +kubebuilder:validation:Optional MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"` + // Reference to a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorRef *v1.Reference `json:"mountAccessorRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorSelector *v1.Selector `json:"mountAccessorSelector,omitempty" tf:"-"` + // (string: ) – Name of the MFA method. // Name of the MFA method. // +kubebuilder:validation:Optional @@ -148,9 +172,8 @@ type OktaParameters struct { type OktaSpec struct { v1.ResourceSpec `json:",inline"` ForProvider OktaParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -169,21 +192,21 @@ type OktaStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Okta is the Schema for the Oktas API. Managing the MFA Okta method configuration -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Okta struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiTokenSecretRef)",message="apiTokenSecretRef is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || has(self.initProvider.mountAccessor)",message="mountAccessor is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.orgName) || has(self.initProvider.orgName)",message="orgName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.apiTokenSecretRef)",message="spec.forProvider.apiTokenSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.orgName) || (has(self.initProvider) && has(self.initProvider.orgName))",message="spec.forProvider.orgName is a required parameter" Spec OktaSpec `json:"spec"` Status OktaStatus `json:"status,omitempty"` } diff --git a/apis/mfa/v1alpha1/zz_pingid_terraformed.go b/apis/mfa/v1alpha1/zz_pingid_terraformed.go new file mode 100755 index 00000000..56568884 --- /dev/null +++ b/apis/mfa/v1alpha1/zz_pingid_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Pingid +func (mg *Pingid) GetTerraformResourceType() string { + return "vault_mfa_pingid" +} + +// GetConnectionDetailsMapping for this Pingid +func (tr *Pingid) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Pingid +func (tr *Pingid) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Pingid +func (tr *Pingid) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Pingid +func (tr *Pingid) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Pingid +func (tr *Pingid) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Pingid +func (tr *Pingid) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Pingid +func (tr *Pingid) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Pingid +func (tr *Pingid) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Pingid using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Pingid) LateInitialize(attrs []byte) (bool, error) { + params := &PingidParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Pingid) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/mfa/v1alpha1/zz_pingid_types.go b/apis/mfa/v1alpha1/zz_pingid_types.go index 2d45eb64..20d2d68f 100755 --- a/apis/mfa/v1alpha1/zz_pingid_types.go +++ b/apis/mfa/v1alpha1/zz_pingid_types.go @@ -18,8 +18,18 @@ type PingidInitParameters struct { // The mount to tie this method to for use in automatic mappings. // The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. // The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("accessor",true) MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"` + // Reference to a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorRef *v1.Reference `json:"mountAccessorRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorSelector *v1.Selector `json:"mountAccessorSelector,omitempty" tf:"-"` + // (string: ) – Name of the MFA method. // Name of the MFA method. Name *string `json:"name,omitempty" tf:"name,omitempty"` @@ -109,9 +119,19 @@ type PingidParameters struct { // The mount to tie this method to for use in automatic mappings. // The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. // The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/auth/v1alpha1.Backend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("accessor",true) // +kubebuilder:validation:Optional MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"` + // Reference to a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorRef *v1.Reference `json:"mountAccessorRef,omitempty" tf:"-"` + + // Selector for a Backend in auth to populate mountAccessor. + // +kubebuilder:validation:Optional + MountAccessorSelector *v1.Selector `json:"mountAccessorSelector,omitempty" tf:"-"` + // (string: ) – Name of the MFA method. // Name of the MFA method. // +kubebuilder:validation:Optional @@ -143,9 +163,8 @@ type PingidParameters struct { type PingidSpec struct { v1.ResourceSpec `json:",inline"` ForProvider PingidParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -164,20 +183,20 @@ type PingidStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Pingid is the Schema for the Pingids API. Managing the MFA PingID method configuration -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Pingid struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mountAccessor) || has(self.initProvider.mountAccessor)",message="mountAccessor is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.settingsFileBase64) || has(self.initProvider.settingsFileBase64)",message="settingsFileBase64 is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.settingsFileBase64) || (has(self.initProvider) && has(self.initProvider.settingsFileBase64))",message="spec.forProvider.settingsFileBase64 is a required parameter" Spec PingidSpec `json:"spec"` Status PingidStatus `json:"status,omitempty"` } diff --git a/apis/mfa/v1alpha1/zz_totp_terraformed.go b/apis/mfa/v1alpha1/zz_totp_terraformed.go new file mode 100755 index 00000000..f574d1a2 --- /dev/null +++ b/apis/mfa/v1alpha1/zz_totp_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Totp +func (mg *Totp) GetTerraformResourceType() string { + return "vault_mfa_totp" +} + +// GetConnectionDetailsMapping for this Totp +func (tr *Totp) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Totp +func (tr *Totp) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Totp +func (tr *Totp) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Totp +func (tr *Totp) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Totp +func (tr *Totp) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Totp +func (tr *Totp) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Totp +func (tr *Totp) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Totp +func (tr *Totp) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Totp using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Totp) LateInitialize(attrs []byte) (bool, error) { + params := &TotpParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Totp) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/mfa/v1alpha1/zz_totp_types.go b/apis/mfa/v1alpha1/zz_totp_types.go index 2b251855..3a8e36eb 100755 --- a/apis/mfa/v1alpha1/zz_totp_types.go +++ b/apis/mfa/v1alpha1/zz_totp_types.go @@ -163,9 +163,8 @@ type TotpParameters struct { type TotpSpec struct { v1.ResourceSpec `json:",inline"` ForProvider TotpParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -184,19 +183,20 @@ type TotpStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Totp is the Schema for the Totps API. Managing the MFA TOTP method configuration -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Totp struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.issuer) || has(self.initProvider.issuer)",message="issuer is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.issuer) || (has(self.initProvider) && has(self.initProvider.issuer))",message="spec.forProvider.issuer is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec TotpSpec `json:"spec"` Status TotpStatus `json:"status,omitempty"` } diff --git a/apis/mongodbatlas/v1alpha1/zz_generated.conversion_hubs.go b/apis/mongodbatlas/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..37ddff1a --- /dev/null +++ b/apis/mongodbatlas/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,13 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *SecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretRole) Hub() {} diff --git a/apis/mongodbatlas/v1alpha1/zz_generated.deepcopy.go b/apis/mongodbatlas/v1alpha1/zz_generated.deepcopy.go index 71f2aaf2..bd1f5207 100644 --- a/apis/mongodbatlas/v1alpha1/zz_generated.deepcopy.go +++ b/apis/mongodbatlas/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -48,6 +48,16 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.MountRef != nil { + in, out := &in.MountRef, &out.MountRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountSelector != nil { + in, out := &in.MountSelector, &out.MountSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -160,6 +170,16 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(string) **out = **in } + if in.MountRef != nil { + in, out := &in.MountRef, &out.MountRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountSelector != nil { + in, out := &in.MountSelector, &out.MountSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -284,6 +304,16 @@ func (in *SecretRoleInitParameters) DeepCopyInto(out *SecretRoleInitParameters) *out = new(string) **out = **in } + if in.MountRef != nil { + in, out := &in.MountRef, &out.MountRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountSelector != nil { + in, out := &in.MountSelector, &out.MountSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -509,6 +539,16 @@ func (in *SecretRoleParameters) DeepCopyInto(out *SecretRoleParameters) { *out = new(string) **out = **in } + if in.MountRef != nil { + in, out := &in.MountRef, &out.MountRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.MountSelector != nil { + in, out := &in.MountSelector, &out.MountSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) diff --git a/apis/mongodbatlas/v1alpha1/zz_generated.managed.go b/apis/mongodbatlas/v1alpha1/zz_generated.managed.go index 3577b829..8824bcb4 100644 --- a/apis/mongodbatlas/v1alpha1/zz_generated.managed.go +++ b/apis/mongodbatlas/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *SecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *SecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SecretRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretRole. func (mg *SecretRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SecretRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretRole. func (mg *SecretRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/mongodbatlas/v1alpha1/zz_generated.resolvers.go b/apis/mongodbatlas/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..dd959ed1 --- /dev/null +++ b/apis/mongodbatlas/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,99 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretBackend. +func (mg *SecretBackend) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Mount), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.MountRef, + Selector: mg.Spec.ForProvider.MountSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Mount") + } + mg.Spec.ForProvider.Mount = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.MountRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Mount), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.MountRef, + Selector: mg.Spec.InitProvider.MountSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Mount") + } + mg.Spec.InitProvider.Mount = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.MountRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretRole. +func (mg *SecretRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Mount), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.MountRef, + Selector: mg.Spec.ForProvider.MountSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Mount") + } + mg.Spec.ForProvider.Mount = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.MountRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Mount), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.MountRef, + Selector: mg.Spec.InitProvider.MountSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Mount") + } + mg.Spec.InitProvider.Mount = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.MountRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/mongodbatlas/v1alpha1/zz_generated_terraformed.go b/apis/mongodbatlas/v1alpha1/zz_secretbackend_terraformed.go similarity index 52% rename from apis/mongodbatlas/v1alpha1/zz_generated_terraformed.go rename to apis/mongodbatlas/v1alpha1/zz_secretbackend_terraformed.go index afab1b81..21673ae6 100755 --- a/apis/mongodbatlas/v1alpha1/zz_generated_terraformed.go +++ b/apis/mongodbatlas/v1alpha1/zz_secretbackend_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this SecretBackend @@ -79,94 +80,40 @@ func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } -// LateInitialize this SecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretRole -func (mg *SecretRole) GetTerraformResourceType() string { - return "vault_mongodbatlas_secret_role" -} - -// GetConnectionDetailsMapping for this SecretRole -func (tr *SecretRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretRole -func (tr *SecretRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretRole -func (tr *SecretRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() if err != nil { - return err + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretRole -func (tr *SecretRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" + if !shouldMergeInitProvider { + return params, nil } - return *tr.Status.AtProvider.ID -} -// GetParameters of this SecretRole -func (tr *SecretRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + initParams, err := tr.GetInitParameters() if err != nil { - return nil, err + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} -// SetParameters for this SecretRole -func (tr *SecretRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) if err != nil { - return err + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} -// GetInitParameters of this SecretRole -func (tr *SecretRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) + return params, nil } -// LateInitialize this SecretRole using its observed tfState. +// LateInitialize this SecretBackend using its observed tfState. // returns True if there are any spec changes for the resource. -func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { - params := &SecretRoleParameters{} +func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendParameters{} if err := json.TFParser.Unmarshal(attrs, params); err != nil { return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") } @@ -177,6 +124,6 @@ func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { } // GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretRole) GetTerraformSchemaVersion() int { +func (tr *SecretBackend) GetTerraformSchemaVersion() int { return 0 } diff --git a/apis/mongodbatlas/v1alpha1/zz_secretbackend_types.go b/apis/mongodbatlas/v1alpha1/zz_secretbackend_types.go index d4c1e62b..5b41c256 100755 --- a/apis/mongodbatlas/v1alpha1/zz_secretbackend_types.go +++ b/apis/mongodbatlas/v1alpha1/zz_secretbackend_types.go @@ -17,8 +17,18 @@ type SecretBackendInitParameters struct { // Path where the MongoDB Atlas Secrets Engine is mounted. // Path where MongoDB Atlas secret backend is mounted + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Mount *string `json:"mount,omitempty" tf:"mount,omitempty"` + // Reference to a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountRef *v1.Reference `json:"mountRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountSelector *v1.Selector `json:"mountSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -65,9 +75,19 @@ type SecretBackendParameters struct { // Path where the MongoDB Atlas Secrets Engine is mounted. // Path where MongoDB Atlas secret backend is mounted + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Mount *string `json:"mount,omitempty" tf:"mount,omitempty"` + // Reference to a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountRef *v1.Reference `json:"mountRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountSelector *v1.Selector `json:"mountSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -91,9 +111,8 @@ type SecretBackendParameters struct { type SecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -112,20 +131,20 @@ type SecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackend is the Schema for the SecretBackends API. Creates a MongoDB Atlas secret backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mount) || has(self.initProvider.mount)",message="mount is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.privateKey) || has(self.initProvider.privateKey)",message="privateKey is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.publicKey) || has(self.initProvider.publicKey)",message="publicKey is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.privateKey) || (has(self.initProvider) && has(self.initProvider.privateKey))",message="spec.forProvider.privateKey is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.publicKey) || (has(self.initProvider) && has(self.initProvider.publicKey))",message="spec.forProvider.publicKey is a required parameter" Spec SecretBackendSpec `json:"spec"` Status SecretBackendStatus `json:"status,omitempty"` } diff --git a/apis/mongodbatlas/v1alpha1/zz_secretrole_terraformed.go b/apis/mongodbatlas/v1alpha1/zz_secretrole_terraformed.go new file mode 100755 index 00000000..b3a346be --- /dev/null +++ b/apis/mongodbatlas/v1alpha1/zz_secretrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretRole +func (mg *SecretRole) GetTerraformResourceType() string { + return "vault_mongodbatlas_secret_role" +} + +// GetConnectionDetailsMapping for this SecretRole +func (tr *SecretRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretRole +func (tr *SecretRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretRole +func (tr *SecretRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretRole +func (tr *SecretRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretRole +func (tr *SecretRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretRole +func (tr *SecretRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretRole +func (tr *SecretRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretRole +func (tr *SecretRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { + params := &SecretRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go b/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go index 959859b4..ec95790a 100755 --- a/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go +++ b/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go @@ -29,8 +29,18 @@ type SecretRoleInitParameters struct { // Path where the MongoDB Atlas Secrets Engine is mounted. // Path where MongoDB Atlas secret backend is mounted + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Mount *string `json:"mount,omitempty" tf:"mount,omitempty"` + // Reference to a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountRef *v1.Reference `json:"mountRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountSelector *v1.Selector `json:"mountSelector,omitempty" tf:"-"` + // The name of the role. // Name of the role Name *string `json:"name,omitempty" tf:"name,omitempty"` @@ -52,11 +62,11 @@ type SecretRoleInitParameters struct { // ID for the project to which the target API Key belongs ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` - // Roles assigned when an org API key is assigned to a project API key. + // Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY. // Roles assigned when an org API key is assigned to a project API key ProjectRoles []*string `json:"projectRoles,omitempty" tf:"project_roles,omitempty"` - // List of roles that the API Key needs to have. + // List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY. // List of roles that the API Key needs to have Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` @@ -106,11 +116,11 @@ type SecretRoleObservation struct { // ID for the project to which the target API Key belongs ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` - // Roles assigned when an org API key is assigned to a project API key. + // Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY. // Roles assigned when an org API key is assigned to a project API key ProjectRoles []*string `json:"projectRoles,omitempty" tf:"project_roles,omitempty"` - // List of roles that the API Key needs to have. + // List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY. // List of roles that the API Key needs to have Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` @@ -138,9 +148,19 @@ type SecretRoleParameters struct { // Path where the MongoDB Atlas Secrets Engine is mounted. // Path where MongoDB Atlas secret backend is mounted + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Mount *string `json:"mount,omitempty" tf:"mount,omitempty"` + // Reference to a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountRef *v1.Reference `json:"mountRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate mount. + // +kubebuilder:validation:Optional + MountSelector *v1.Selector `json:"mountSelector,omitempty" tf:"-"` + // The name of the role. // Name of the role // +kubebuilder:validation:Optional @@ -166,12 +186,12 @@ type SecretRoleParameters struct { // +kubebuilder:validation:Optional ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` - // Roles assigned when an org API key is assigned to a project API key. + // Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY. // Roles assigned when an org API key is assigned to a project API key // +kubebuilder:validation:Optional ProjectRoles []*string `json:"projectRoles,omitempty" tf:"project_roles,omitempty"` - // List of roles that the API Key needs to have. + // List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY. // List of roles that the API Key needs to have // +kubebuilder:validation:Optional Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` @@ -186,9 +206,8 @@ type SecretRoleParameters struct { type SecretRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -207,20 +226,20 @@ type SecretRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretRole is the Schema for the SecretRoles API. Creates a role for the MongoDB Atlas Secret Engine in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.mount) || has(self.initProvider.mount)",message="mount is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roles) || has(self.initProvider.roles)",message="roles is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roles) || (has(self.initProvider) && has(self.initProvider.roles))",message="spec.forProvider.roles is a required parameter" Spec SecretRoleSpec `json:"spec"` Status SecretRoleStatus `json:"status,omitempty"` } diff --git a/apis/nomad/v1alpha1/zz_generated.conversion_hubs.go b/apis/nomad/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..37ddff1a --- /dev/null +++ b/apis/nomad/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,13 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *SecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretRole) Hub() {} diff --git a/apis/nomad/v1alpha1/zz_generated.deepcopy.go b/apis/nomad/v1alpha1/zz_generated.deepcopy.go index f7f3f7bf..5cc968a0 100644 --- a/apis/nomad/v1alpha1/zz_generated.deepcopy.go +++ b/apis/nomad/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -59,6 +58,16 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.ClientCertSecretRef != nil { + in, out := &in.ClientCertSecretRef, &out.ClientCertSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.ClientKeySecretRef != nil { + in, out := &in.ClientKeySecretRef, &out.ClientKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.DefaultLeaseTTLSeconds != nil { in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds *out = new(float64) @@ -104,6 +113,11 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(float64) **out = **in } + if in.TokenSecretRef != nil { + in, out := &in.TokenSecretRef, &out.TokenSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters. @@ -388,6 +402,16 @@ func (in *SecretRoleInitParameters) DeepCopyInto(out *SecretRoleInitParameters) *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Global != nil { in, out := &in.Global, &out.Global *out = new(bool) @@ -527,6 +551,16 @@ func (in *SecretRoleParameters) DeepCopyInto(out *SecretRoleParameters) { *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Global != nil { in, out := &in.Global, &out.Global *out = new(bool) diff --git a/apis/nomad/v1alpha1/zz_generated.managed.go b/apis/nomad/v1alpha1/zz_generated.managed.go index 3577b829..8824bcb4 100644 --- a/apis/nomad/v1alpha1/zz_generated.managed.go +++ b/apis/nomad/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *SecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *SecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SecretRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretRole. func (mg *SecretRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SecretRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretRole. func (mg *SecretRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/nomad/v1alpha1/zz_generated.resolvers.go b/apis/nomad/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..3ae7509f --- /dev/null +++ b/apis/nomad/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,56 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretRole. +func (mg *SecretRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("backend", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("backend", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/nomad/v1alpha1/zz_generated_terraformed.go b/apis/nomad/v1alpha1/zz_secretbackend_terraformed.go similarity index 50% rename from apis/nomad/v1alpha1/zz_generated_terraformed.go rename to apis/nomad/v1alpha1/zz_secretbackend_terraformed.go index d431b6a5..84ab23b5 100755 --- a/apis/nomad/v1alpha1/zz_generated_terraformed.go +++ b/apis/nomad/v1alpha1/zz_secretbackend_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this SecretBackend @@ -20,7 +21,7 @@ func (mg *SecretBackend) GetTerraformResourceType() string { // GetConnectionDetailsMapping for this SecretBackend func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"client_cert": "spec.forProvider.clientCertSecretRef", "client_key": "spec.forProvider.clientKeySecretRef", "token": "spec.forProvider.tokenSecretRef"} + return map[string]string{"client_cert": "clientCertSecretRef", "client_key": "clientKeySecretRef", "token": "tokenSecretRef"} } // GetObservation of this SecretBackend @@ -79,94 +80,40 @@ func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } -// LateInitialize this SecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretRole -func (mg *SecretRole) GetTerraformResourceType() string { - return "vault_nomad_secret_role" -} - -// GetConnectionDetailsMapping for this SecretRole -func (tr *SecretRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretRole -func (tr *SecretRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretRole -func (tr *SecretRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() if err != nil { - return err + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretRole -func (tr *SecretRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" + if !shouldMergeInitProvider { + return params, nil } - return *tr.Status.AtProvider.ID -} -// GetParameters of this SecretRole -func (tr *SecretRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + initParams, err := tr.GetInitParameters() if err != nil { - return nil, err + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} -// SetParameters for this SecretRole -func (tr *SecretRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) if err != nil { - return err + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} -// GetInitParameters of this SecretRole -func (tr *SecretRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) + return params, nil } -// LateInitialize this SecretRole using its observed tfState. +// LateInitialize this SecretBackend using its observed tfState. // returns True if there are any spec changes for the resource. -func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { - params := &SecretRoleParameters{} +func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendParameters{} if err := json.TFParser.Unmarshal(attrs, params); err != nil { return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") } @@ -177,6 +124,6 @@ func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { } // GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretRole) GetTerraformSchemaVersion() int { - return 0 +func (tr *SecretBackend) GetTerraformSchemaVersion() int { + return 1 } diff --git a/apis/nomad/v1alpha1/zz_secretbackend_types.go b/apis/nomad/v1alpha1/zz_secretbackend_types.go index aa83f649..2c9e0f7e 100755 --- a/apis/nomad/v1alpha1/zz_secretbackend_types.go +++ b/apis/nomad/v1alpha1/zz_secretbackend_types.go @@ -30,6 +30,14 @@ type SecretBackendInitParameters struct { // CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded. CACert *string `json:"caCert,omitempty" tf:"ca_cert,omitempty"` + // Client certificate to provide to the Nomad server, must be x509 PEM encoded. + // Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key. + ClientCertSecretRef *v1.SecretKeySelector `json:"clientCertSecretRef,omitempty" tf:"-"` + + // Client certificate key to provide to the Nomad server, must be x509 PEM encoded. + // Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. + ClientKeySecretRef *v1.SecretKeySelector `json:"clientKeySecretRef,omitempty" tf:"-"` + // Default lease duration for secrets in seconds. // Default lease duration for secrets in seconds. DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` @@ -71,6 +79,10 @@ type SecretBackendInitParameters struct { // Specifies the ttl of the lease for the generated token. // Maximum possible lease duration for secrets in seconds. TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"` + + // Specifies the Nomad Management token to use. + // Specifies the Nomad Management token to use. + TokenSecretRef *v1.SecretKeySelector `json:"tokenSecretRef,omitempty" tf:"-"` } type SecretBackendObservation struct { @@ -226,9 +238,8 @@ type SecretBackendParameters struct { type SecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -247,13 +258,14 @@ type SecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackend is the Schema for the SecretBackends API. Creates a Nomad secret backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackend struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/nomad/v1alpha1/zz_secretrole_terraformed.go b/apis/nomad/v1alpha1/zz_secretrole_terraformed.go new file mode 100755 index 00000000..01f471f4 --- /dev/null +++ b/apis/nomad/v1alpha1/zz_secretrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretRole +func (mg *SecretRole) GetTerraformResourceType() string { + return "vault_nomad_secret_role" +} + +// GetConnectionDetailsMapping for this SecretRole +func (tr *SecretRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretRole +func (tr *SecretRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretRole +func (tr *SecretRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretRole +func (tr *SecretRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretRole +func (tr *SecretRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretRole +func (tr *SecretRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretRole +func (tr *SecretRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretRole +func (tr *SecretRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretRole) LateInitialize(attrs []byte) (bool, error) { + params := &SecretRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/nomad/v1alpha1/zz_secretrole_types.go b/apis/nomad/v1alpha1/zz_secretrole_types.go index a38387e8..7a256be2 100755 --- a/apis/nomad/v1alpha1/zz_secretrole_types.go +++ b/apis/nomad/v1alpha1/zz_secretrole_types.go @@ -17,8 +17,18 @@ type SecretRoleInitParameters struct { // The unique path this backend should be mounted at. // The mount path for the Nomad backend. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/nomad/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("backend",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in nomad to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in nomad to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Specifies if the generated token should be global. Defaults to // false. // Specifies if the token should be global. @@ -87,9 +97,19 @@ type SecretRoleParameters struct { // The unique path this backend should be mounted at. // The mount path for the Nomad backend. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/nomad/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("backend",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in nomad to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in nomad to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Specifies if the generated token should be global. Defaults to // false. // Specifies if the token should be global. @@ -127,9 +147,8 @@ type SecretRoleParameters struct { type SecretRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -148,19 +167,19 @@ type SecretRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretRole is the Schema for the SecretRoles API. Creates a Nomad role. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || (has(self.initProvider) && has(self.initProvider.role))",message="spec.forProvider.role is a required parameter" Spec SecretRoleSpec `json:"spec"` Status SecretRoleStatus `json:"status,omitempty"` } diff --git a/apis/okta/v1alpha1/zz_authbackend_terraformed.go b/apis/okta/v1alpha1/zz_authbackend_terraformed.go new file mode 100755 index 00000000..174cf58d --- /dev/null +++ b/apis/okta/v1alpha1/zz_authbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackend +func (mg *AuthBackend) GetTerraformResourceType() string { + return "vault_okta_auth_backend" +} + +// GetConnectionDetailsMapping for this AuthBackend +func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"token": "tokenSecretRef"} +} + +// GetObservation of this AuthBackend +func (tr *AuthBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackend +func (tr *AuthBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackend +func (tr *AuthBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackend +func (tr *AuthBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackend +func (tr *AuthBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackend +func (tr *AuthBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackend +func (tr *AuthBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/okta/v1alpha1/zz_authbackend_types.go b/apis/okta/v1alpha1/zz_authbackend_types.go index a1f777cc..ad4bfcee 100755 --- a/apis/okta/v1alpha1/zz_authbackend_types.go +++ b/apis/okta/v1alpha1/zz_authbackend_types.go @@ -44,6 +44,38 @@ type AuthBackendInitParameters struct { // Duration after which authentication will be expired TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` + // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // Generated Token's Explicit Maximum TTL in seconds + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime of the generated token + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If true, the 'default' policy will not automatically be added to generated tokens + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number of times a token may be used, a value of zero means unlimited + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // Generated Token's Period + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // Generated Token's Policies + // +listType=set + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + + // The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled. + TokenSecretRef *v1.SecretKeySelector `json:"tokenSecretRef,omitempty" tf:"-"` + + // The initial ttl of the token to generate in seconds + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token to generate, service or batch + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` + User []UserInitParameters `json:"user,omitempty" tf:"user,omitempty"` } @@ -83,6 +115,35 @@ type AuthBackendObservation struct { // Duration after which authentication will be expired TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` + // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // Generated Token's Explicit Maximum TTL in seconds + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime of the generated token + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If true, the 'default' policy will not automatically be added to generated tokens + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number of times a token may be used, a value of zero means unlimited + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // Generated Token's Period + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // Generated Token's Policies + // +listType=set + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + + // The initial ttl of the token to generate in seconds + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token to generate, service or batch + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` + User []UserObservation `json:"user,omitempty" tf:"user,omitempty"` } @@ -127,10 +188,48 @@ type AuthBackendParameters struct { // +kubebuilder:validation:Optional TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` + // Specifies the blocks of IP addresses which are allowed to use the generated token + // +kubebuilder:validation:Optional + // +listType=set + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // Generated Token's Explicit Maximum TTL in seconds + // +kubebuilder:validation:Optional + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime of the generated token + // +kubebuilder:validation:Optional + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If true, the 'default' policy will not automatically be added to generated tokens + // +kubebuilder:validation:Optional + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number of times a token may be used, a value of zero means unlimited + // +kubebuilder:validation:Optional + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // Generated Token's Period + // +kubebuilder:validation:Optional + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // Generated Token's Policies + // +kubebuilder:validation:Optional + // +listType=set + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + // The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled. // +kubebuilder:validation:Optional TokenSecretRef *v1.SecretKeySelector `json:"tokenSecretRef,omitempty" tf:"-"` + // The initial ttl of the token to generate in seconds + // +kubebuilder:validation:Optional + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token to generate, service or batch + // +kubebuilder:validation:Optional + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` + // +kubebuilder:validation:Optional User []UserParameters `json:"user,omitempty" tf:"user,omitempty"` } @@ -138,12 +237,14 @@ type AuthBackendParameters struct { type GroupInitParameters struct { GroupName *string `json:"groupName,omitempty" tf:"group_name"` + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies"` } type GroupObservation struct { GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"` + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -153,20 +254,27 @@ type GroupParameters struct { GroupName *string `json:"groupName,omitempty" tf:"group_name"` // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies"` } type UserInitParameters struct { + + // +listType=set Groups []*string `json:"groups,omitempty" tf:"groups"` + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies"` Username *string `json:"username,omitempty" tf:"username"` } type UserObservation struct { + + // +listType=set Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"` + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -175,9 +283,11 @@ type UserObservation struct { type UserParameters struct { // +kubebuilder:validation:Optional + // +listType=set Groups []*string `json:"groups,omitempty" tf:"groups"` // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies"` // +kubebuilder:validation:Optional @@ -188,9 +298,8 @@ type UserParameters struct { type AuthBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -209,18 +318,19 @@ type AuthBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackend is the Schema for the AuthBackends API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.organization) || has(self.initProvider.organization)",message="organization is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.organization) || (has(self.initProvider) && has(self.initProvider.organization))",message="spec.forProvider.organization is a required parameter" Spec AuthBackendSpec `json:"spec"` Status AuthBackendStatus `json:"status,omitempty"` } diff --git a/apis/okta/v1alpha1/zz_authbackendgroup_terraformed.go b/apis/okta/v1alpha1/zz_authbackendgroup_terraformed.go new file mode 100755 index 00000000..74bc764a --- /dev/null +++ b/apis/okta/v1alpha1/zz_authbackendgroup_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendGroup +func (mg *AuthBackendGroup) GetTerraformResourceType() string { + return "vault_okta_auth_backend_group" +} + +// GetConnectionDetailsMapping for this AuthBackendGroup +func (tr *AuthBackendGroup) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendGroup +func (tr *AuthBackendGroup) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendGroup +func (tr *AuthBackendGroup) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendGroup +func (tr *AuthBackendGroup) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendGroup +func (tr *AuthBackendGroup) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendGroup +func (tr *AuthBackendGroup) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendGroup +func (tr *AuthBackendGroup) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendGroup +func (tr *AuthBackendGroup) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendGroup using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendGroup) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendGroupParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendGroup) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/okta/v1alpha1/zz_authbackendgroup_types.go b/apis/okta/v1alpha1/zz_authbackendgroup_types.go index 0866d233..3defa254 100755 --- a/apis/okta/v1alpha1/zz_authbackendgroup_types.go +++ b/apis/okta/v1alpha1/zz_authbackendgroup_types.go @@ -25,6 +25,7 @@ type AuthBackendGroupInitParameters struct { Path *string `json:"path,omitempty" tf:"path,omitempty"` // Policies to associate with this group + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -42,6 +43,7 @@ type AuthBackendGroupObservation struct { Path *string `json:"path,omitempty" tf:"path,omitempty"` // Policies to associate with this group + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -61,6 +63,7 @@ type AuthBackendGroupParameters struct { // Policies to associate with this group // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` } @@ -68,9 +71,8 @@ type AuthBackendGroupParameters struct { type AuthBackendGroupSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendGroupParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -89,19 +91,20 @@ type AuthBackendGroupStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendGroup is the Schema for the AuthBackendGroups API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendGroup struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupName) || has(self.initProvider.groupName)",message="groupName is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.groupName) || (has(self.initProvider) && has(self.initProvider.groupName))",message="spec.forProvider.groupName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || (has(self.initProvider) && has(self.initProvider.path))",message="spec.forProvider.path is a required parameter" Spec AuthBackendGroupSpec `json:"spec"` Status AuthBackendGroupStatus `json:"status,omitempty"` } diff --git a/apis/okta/v1alpha1/zz_authbackenduser_terraformed.go b/apis/okta/v1alpha1/zz_authbackenduser_terraformed.go new file mode 100755 index 00000000..f4cf3f1d --- /dev/null +++ b/apis/okta/v1alpha1/zz_authbackenduser_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this AuthBackendUser +func (mg *AuthBackendUser) GetTerraformResourceType() string { + return "vault_okta_auth_backend_user" +} + +// GetConnectionDetailsMapping for this AuthBackendUser +func (tr *AuthBackendUser) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this AuthBackendUser +func (tr *AuthBackendUser) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this AuthBackendUser +func (tr *AuthBackendUser) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this AuthBackendUser +func (tr *AuthBackendUser) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this AuthBackendUser +func (tr *AuthBackendUser) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this AuthBackendUser +func (tr *AuthBackendUser) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this AuthBackendUser +func (tr *AuthBackendUser) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this AuthBackendUser +func (tr *AuthBackendUser) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this AuthBackendUser using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *AuthBackendUser) LateInitialize(attrs []byte) (bool, error) { + params := &AuthBackendUserParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *AuthBackendUser) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/okta/v1alpha1/zz_authbackenduser_types.go b/apis/okta/v1alpha1/zz_authbackenduser_types.go index 243dc53b..241ad8d9 100755 --- a/apis/okta/v1alpha1/zz_authbackenduser_types.go +++ b/apis/okta/v1alpha1/zz_authbackenduser_types.go @@ -16,6 +16,7 @@ import ( type AuthBackendUserInitParameters struct { // Groups within the Okta auth backend to associate with this user + // +listType=set Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"` // Target namespace. (requires Enterprise) @@ -25,6 +26,7 @@ type AuthBackendUserInitParameters struct { Path *string `json:"path,omitempty" tf:"path,omitempty"` // Policies to associate with this user + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // Name of the user within Okta @@ -34,6 +36,7 @@ type AuthBackendUserInitParameters struct { type AuthBackendUserObservation struct { // Groups within the Okta auth backend to associate with this user + // +listType=set Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -45,6 +48,7 @@ type AuthBackendUserObservation struct { Path *string `json:"path,omitempty" tf:"path,omitempty"` // Policies to associate with this user + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // Name of the user within Okta @@ -55,6 +59,7 @@ type AuthBackendUserParameters struct { // Groups within the Okta auth backend to associate with this user // +kubebuilder:validation:Optional + // +listType=set Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"` // Target namespace. (requires Enterprise) @@ -67,6 +72,7 @@ type AuthBackendUserParameters struct { // Policies to associate with this user // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // Name of the user within Okta @@ -78,9 +84,8 @@ type AuthBackendUserParameters struct { type AuthBackendUserSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendUserParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -99,19 +104,20 @@ type AuthBackendUserStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendUser is the Schema for the AuthBackendUsers API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendUser struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.username) || has(self.initProvider.username)",message="username is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || (has(self.initProvider) && has(self.initProvider.path))",message="spec.forProvider.path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.username) || (has(self.initProvider) && has(self.initProvider.username))",message="spec.forProvider.username is a required parameter" Spec AuthBackendUserSpec `json:"spec"` Status AuthBackendUserStatus `json:"status,omitempty"` } diff --git a/apis/okta/v1alpha1/zz_generated.conversion_hubs.go b/apis/okta/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..a7987c3b --- /dev/null +++ b/apis/okta/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,16 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendGroup) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendUser) Hub() {} diff --git a/apis/okta/v1alpha1/zz_generated.deepcopy.go b/apis/okta/v1alpha1/zz_generated.deepcopy.go index bafc3955..75056b34 100644 --- a/apis/okta/v1alpha1/zz_generated.deepcopy.go +++ b/apis/okta/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -318,6 +317,68 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(string) **out = **in } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenSecretRef != nil { + in, out := &in.TokenSecretRef, &out.TokenSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } if in.User != nil { in, out := &in.User, &out.User *out = make([]UserInitParameters, len(*in)) @@ -434,6 +495,63 @@ func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation) { *out = new(string) **out = **in } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } if in.User != nil { in, out := &in.User, &out.User *out = make([]UserObservation, len(*in)) @@ -508,11 +626,68 @@ func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters) { *out = new(string) **out = **in } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.TokenSecretRef != nil { in, out := &in.TokenSecretRef, &out.TokenSecretRef *out = new(v1.SecretKeySelector) **out = **in } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } if in.User != nil { in, out := &in.User, &out.User *out = make([]UserParameters, len(*in)) diff --git a/apis/okta/v1alpha1/zz_generated.managed.go b/apis/okta/v1alpha1/zz_generated.managed.go index ae342697..82176535 100644 --- a/apis/okta/v1alpha1/zz_generated.managed.go +++ b/apis/okta/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackend. func (mg *AuthBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackend. func (mg *AuthBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *AuthBackendGroup) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendGroup. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendGroup) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendGroup. func (mg *AuthBackendGroup) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *AuthBackendGroup) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendGroup. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendGroup) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendGroup. func (mg *AuthBackendGroup) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *AuthBackendUser) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendUser. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendUser) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendUser. func (mg *AuthBackendUser) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *AuthBackendUser) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendUser. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendUser) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendUser. func (mg *AuthBackendUser) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/okta/v1alpha1/zz_generated_terraformed.go b/apis/okta/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index 0d480232..00000000 --- a/apis/okta/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,266 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this AuthBackend -func (mg *AuthBackend) GetTerraformResourceType() string { - return "vault_okta_auth_backend" -} - -// GetConnectionDetailsMapping for this AuthBackend -func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"token": "spec.forProvider.tokenSecretRef"} -} - -// GetObservation of this AuthBackend -func (tr *AuthBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackend -func (tr *AuthBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackend -func (tr *AuthBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackend -func (tr *AuthBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackend -func (tr *AuthBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackend -func (tr *AuthBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackend) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendGroup -func (mg *AuthBackendGroup) GetTerraformResourceType() string { - return "vault_okta_auth_backend_group" -} - -// GetConnectionDetailsMapping for this AuthBackendGroup -func (tr *AuthBackendGroup) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendGroup -func (tr *AuthBackendGroup) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendGroup -func (tr *AuthBackendGroup) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendGroup -func (tr *AuthBackendGroup) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendGroup -func (tr *AuthBackendGroup) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendGroup -func (tr *AuthBackendGroup) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendGroup -func (tr *AuthBackendGroup) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendGroup using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendGroup) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendGroupParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendGroup) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this AuthBackendUser -func (mg *AuthBackendUser) GetTerraformResourceType() string { - return "vault_okta_auth_backend_user" -} - -// GetConnectionDetailsMapping for this AuthBackendUser -func (tr *AuthBackendUser) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this AuthBackendUser -func (tr *AuthBackendUser) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this AuthBackendUser -func (tr *AuthBackendUser) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this AuthBackendUser -func (tr *AuthBackendUser) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this AuthBackendUser -func (tr *AuthBackendUser) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this AuthBackendUser -func (tr *AuthBackendUser) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this AuthBackendUser -func (tr *AuthBackendUser) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this AuthBackendUser using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *AuthBackendUser) LateInitialize(attrs []byte) (bool, error) { - params := &AuthBackendUserParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *AuthBackendUser) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/password/v1alpha1/zz_generated.conversion_hubs.go b/apis/password/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..8de3d5b0 --- /dev/null +++ b/apis/password/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Policy) Hub() {} diff --git a/apis/password/v1alpha1/zz_generated.deepcopy.go b/apis/password/v1alpha1/zz_generated.deepcopy.go index 5ec54fe4..bf805f43 100644 --- a/apis/password/v1alpha1/zz_generated.deepcopy.go +++ b/apis/password/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. diff --git a/apis/password/v1alpha1/zz_generated.managed.go b/apis/password/v1alpha1/zz_generated.managed.go index a29e31ba..4bca39f2 100644 --- a/apis/password/v1alpha1/zz_generated.managed.go +++ b/apis/password/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Policy) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Policy. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Policy) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Policy. func (mg *Policy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Policy. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Policy) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Policy. func (mg *Policy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/password/v1alpha1/zz_generated_terraformed.go b/apis/password/v1alpha1/zz_policy_terraformed.go similarity index 69% rename from apis/password/v1alpha1/zz_generated_terraformed.go rename to apis/password/v1alpha1/zz_policy_terraformed.go index 92a0dc9a..69b6e4fa 100755 --- a/apis/password/v1alpha1/zz_generated_terraformed.go +++ b/apis/password/v1alpha1/zz_policy_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this Policy @@ -79,6 +80,36 @@ func (tr *Policy) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this Policy +func (tr *Policy) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this Policy using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *Policy) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/password/v1alpha1/zz_policy_types.go b/apis/password/v1alpha1/zz_policy_types.go index 7cb3ccf1..5d9b520f 100755 --- a/apis/password/v1alpha1/zz_policy_types.go +++ b/apis/password/v1alpha1/zz_policy_types.go @@ -75,9 +75,8 @@ type PolicyParameters struct { type PolicySpec struct { v1.ResourceSpec `json:",inline"` ForProvider PolicyParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -96,19 +95,20 @@ type PolicyStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Policy is the Schema for the Policys API. Writes Password policies for Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Policy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || has(self.initProvider.policy)",message="policy is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || (has(self.initProvider) && has(self.initProvider.policy))",message="spec.forProvider.policy is a required parameter" Spec PolicySpec `json:"spec"` Status PolicyStatus `json:"status,omitempty"` } diff --git a/apis/pki/v1alpha1/zz_generated.conversion_hubs.go b/apis/pki/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..d2400422 --- /dev/null +++ b/apis/pki/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,37 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendCert) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendConfigCA) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendConfigUrls) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendCrlConfig) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendIntermediateCertRequest) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendIntermediateSetSigned) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendRole) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendRootCert) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendRootSignIntermediate) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendSign) Hub() {} diff --git a/apis/pki/v1alpha1/zz_generated.deepcopy.go b/apis/pki/v1alpha1/zz_generated.deepcopy.go index a2e2b165..02af3e07 100644 --- a/apis/pki/v1alpha1/zz_generated.deepcopy.go +++ b/apis/pki/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -154,6 +154,16 @@ func (in *SecretBackendCertInitParameters) DeepCopyInto(out *SecretBackendCertIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CommonName != nil { in, out := &in.CommonName, &out.CommonName *out = new(string) @@ -195,6 +205,16 @@ func (in *SecretBackendCertInitParameters) DeepCopyInto(out *SecretBackendCertIn *out = new(string) **out = **in } + if in.NameRef != nil { + in, out := &in.NameRef, &out.NameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.NameSelector != nil { + in, out := &in.NameSelector, &out.NameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -486,6 +506,16 @@ func (in *SecretBackendCertParameters) DeepCopyInto(out *SecretBackendCertParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CommonName != nil { in, out := &in.CommonName, &out.CommonName *out = new(string) @@ -527,6 +557,16 @@ func (in *SecretBackendCertParameters) DeepCopyInto(out *SecretBackendCertParame *out = new(string) **out = **in } + if in.NameRef != nil { + in, out := &in.NameRef, &out.NameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.NameSelector != nil { + in, out := &in.NameSelector, &out.NameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -662,11 +702,22 @@ func (in *SecretBackendConfigCAInitParameters) DeepCopyInto(out *SecretBackendCo *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) **out = **in } + out.PemBundleSecretRef = in.PemBundleSecretRef } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendConfigCAInitParameters. @@ -749,6 +800,16 @@ func (in *SecretBackendConfigCAParameters) DeepCopyInto(out *SecretBackendConfig *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -837,6 +898,16 @@ func (in *SecretBackendConfigUrlsInitParameters) DeepCopyInto(out *SecretBackend *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CrlDistributionPoints != nil { in, out := &in.CrlDistributionPoints, &out.CrlDistributionPoints *out = make([]*string, len(*in)) @@ -848,6 +919,11 @@ func (in *SecretBackendConfigUrlsInitParameters) DeepCopyInto(out *SecretBackend } } } + if in.EnableTemplating != nil { + in, out := &in.EnableTemplating, &out.EnableTemplating + *out = new(bool) + **out = **in + } if in.IssuingCertificates != nil { in, out := &in.IssuingCertificates, &out.IssuingCertificates *out = make([]*string, len(*in)) @@ -938,6 +1014,11 @@ func (in *SecretBackendConfigUrlsObservation) DeepCopyInto(out *SecretBackendCon } } } + if in.EnableTemplating != nil { + in, out := &in.EnableTemplating, &out.EnableTemplating + *out = new(bool) + **out = **in + } if in.ID != nil { in, out := &in.ID, &out.ID *out = new(string) @@ -990,6 +1071,16 @@ func (in *SecretBackendConfigUrlsParameters) DeepCopyInto(out *SecretBackendConf *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CrlDistributionPoints != nil { in, out := &in.CrlDistributionPoints, &out.CrlDistributionPoints *out = make([]*string, len(*in)) @@ -1001,6 +1092,11 @@ func (in *SecretBackendConfigUrlsParameters) DeepCopyInto(out *SecretBackendConf } } } + if in.EnableTemplating != nil { + in, out := &in.EnableTemplating, &out.EnableTemplating + *out = new(bool) + **out = **in + } if in.IssuingCertificates != nil { in, out := &in.IssuingCertificates, &out.IssuingCertificates *out = make([]*string, len(*in)) @@ -1120,6 +1216,16 @@ func (in *SecretBackendCrlConfigInitParameters) DeepCopyInto(out *SecretBackendC *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CrossClusterRevocation != nil { in, out := &in.CrossClusterRevocation, &out.CrossClusterRevocation *out = new(bool) @@ -1317,6 +1423,16 @@ func (in *SecretBackendCrlConfigParameters) DeepCopyInto(out *SecretBackendCrlCo *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CrossClusterRevocation != nil { in, out := &in.CrossClusterRevocation, &out.CrossClusterRevocation *out = new(bool) @@ -1465,6 +1581,16 @@ func (in *SecretBackendIntermediateCertRequestInitParameters) DeepCopyInto(out * *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CommonName != nil { in, out := &in.CommonName, &out.CommonName *out = new(string) @@ -1845,6 +1971,16 @@ func (in *SecretBackendIntermediateCertRequestParameters) DeepCopyInto(out *Secr *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CommonName != nil { in, out := &in.CommonName, &out.CommonName *out = new(string) @@ -2055,11 +2191,31 @@ func (in *SecretBackendIntermediateSetSignedInitParameters) DeepCopyInto(out *Se *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Certificate != nil { in, out := &in.Certificate, &out.Certificate *out = new(string) **out = **in } + if in.CertificateRef != nil { + in, out := &in.CertificateRef, &out.CertificateRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.CertificateSelector != nil { + in, out := &in.CertificateSelector, &out.CertificateSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -2174,11 +2330,31 @@ func (in *SecretBackendIntermediateSetSignedParameters) DeepCopyInto(out *Secret *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Certificate != nil { in, out := &in.Certificate, &out.Certificate *out = new(string) **out = **in } + if in.CertificateRef != nil { + in, out := &in.CertificateRef, &out.CertificateRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.CertificateSelector != nil { + in, out := &in.CertificateSelector, &out.CertificateSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -2366,6 +2542,16 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BasicConstraintsValidForNonCA != nil { in, out := &in.BasicConstraintsValidForNonCA, &out.BasicConstraintsValidForNonCA *out = new(bool) @@ -3089,6 +3275,16 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.BasicConstraintsValidForNonCA != nil { in, out := &in.BasicConstraintsValidForNonCA, &out.BasicConstraintsValidForNonCA *out = new(bool) @@ -3405,6 +3601,16 @@ func (in *SecretBackendRootCertInitParameters) DeepCopyInto(out *SecretBackendRo *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CommonName != nil { in, out := &in.CommonName, &out.CommonName *out = new(string) @@ -3775,11 +3981,6 @@ func (in *SecretBackendRootCertObservation) DeepCopyInto(out *SecretBackendRootC *out = new(string) **out = **in } - if in.Serial != nil { - in, out := &in.Serial, &out.Serial - *out = new(string) - **out = **in - } if in.SerialNumber != nil { in, out := &in.SerialNumber, &out.SerialNumber *out = new(string) @@ -3842,6 +4043,16 @@ func (in *SecretBackendRootCertParameters) DeepCopyInto(out *SecretBackendRootCe *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CommonName != nil { in, out := &in.CommonName, &out.CommonName *out = new(string) @@ -4415,11 +4626,6 @@ func (in *SecretBackendRootSignIntermediateObservation) DeepCopyInto(out *Secret *out = new(bool) **out = **in } - if in.Serial != nil { - in, out := &in.Serial, &out.Serial - *out = new(string) - **out = **in - } if in.SerialNumber != nil { in, out := &in.SerialNumber, &out.SerialNumber *out = new(string) @@ -4709,6 +4915,16 @@ func (in *SecretBackendSignInitParameters) DeepCopyInto(out *SecretBackendSignIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CommonName != nil { in, out := &in.CommonName, &out.CommonName *out = new(string) @@ -4755,6 +4971,16 @@ func (in *SecretBackendSignInitParameters) DeepCopyInto(out *SecretBackendSignIn *out = new(string) **out = **in } + if in.NameRef != nil { + in, out := &in.NameRef, &out.NameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.NameSelector != nil { + in, out := &in.NameSelector, &out.NameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -4953,11 +5179,6 @@ func (in *SecretBackendSignObservation) DeepCopyInto(out *SecretBackendSignObser *out = new(bool) **out = **in } - if in.Serial != nil { - in, out := &in.Serial, &out.Serial - *out = new(string) - **out = **in - } if in.SerialNumber != nil { in, out := &in.SerialNumber, &out.SerialNumber *out = new(string) @@ -5015,6 +5236,16 @@ func (in *SecretBackendSignParameters) DeepCopyInto(out *SecretBackendSignParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CommonName != nil { in, out := &in.CommonName, &out.CommonName *out = new(string) @@ -5061,6 +5292,16 @@ func (in *SecretBackendSignParameters) DeepCopyInto(out *SecretBackendSignParame *out = new(string) **out = **in } + if in.NameRef != nil { + in, out := &in.NameRef, &out.NameRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.NameSelector != nil { + in, out := &in.NameSelector, &out.NameSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) diff --git a/apis/pki/v1alpha1/zz_generated.managed.go b/apis/pki/v1alpha1/zz_generated.managed.go index b3b8be72..ef8f5139 100644 --- a/apis/pki/v1alpha1/zz_generated.managed.go +++ b/apis/pki/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *SecretBackendCert) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendCert. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendCert) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendCert. func (mg *SecretBackendCert) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *SecretBackendCert) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendCert. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendCert) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendCert. func (mg *SecretBackendCert) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SecretBackendConfigCA) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendConfigCA. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendConfigCA) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendConfigCA. func (mg *SecretBackendConfigCA) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SecretBackendConfigCA) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendConfigCA. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendConfigCA) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendConfigCA. func (mg *SecretBackendConfigCA) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *SecretBackendConfigUrls) GetProviderConfigReference() *xpv1.Reference return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendConfigUrls. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendConfigUrls) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendConfigUrls. func (mg *SecretBackendConfigUrls) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *SecretBackendConfigUrls) SetProviderConfigReference(r *xpv1.Reference) mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendConfigUrls. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendConfigUrls) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendConfigUrls. func (mg *SecretBackendConfigUrls) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -255,14 +207,6 @@ func (mg *SecretBackendCrlConfig) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendCrlConfig. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendCrlConfig) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendCrlConfig. func (mg *SecretBackendCrlConfig) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -293,14 +237,6 @@ func (mg *SecretBackendCrlConfig) SetProviderConfigReference(r *xpv1.Reference) mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendCrlConfig. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendCrlConfig) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendCrlConfig. func (mg *SecretBackendCrlConfig) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -331,14 +267,6 @@ func (mg *SecretBackendIntermediateCertRequest) GetProviderConfigReference() *xp return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendIntermediateCertRequest. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendIntermediateCertRequest) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendIntermediateCertRequest. func (mg *SecretBackendIntermediateCertRequest) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -369,14 +297,6 @@ func (mg *SecretBackendIntermediateCertRequest) SetProviderConfigReference(r *xp mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendIntermediateCertRequest. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendIntermediateCertRequest) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendIntermediateCertRequest. func (mg *SecretBackendIntermediateCertRequest) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -407,14 +327,6 @@ func (mg *SecretBackendIntermediateSetSigned) GetProviderConfigReference() *xpv1 return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendIntermediateSetSigned. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendIntermediateSetSigned) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendIntermediateSetSigned. func (mg *SecretBackendIntermediateSetSigned) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -445,14 +357,6 @@ func (mg *SecretBackendIntermediateSetSigned) SetProviderConfigReference(r *xpv1 mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendIntermediateSetSigned. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendIntermediateSetSigned) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendIntermediateSetSigned. func (mg *SecretBackendIntermediateSetSigned) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -483,14 +387,6 @@ func (mg *SecretBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -521,14 +417,6 @@ func (mg *SecretBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -559,14 +447,6 @@ func (mg *SecretBackendRootCert) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendRootCert. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendRootCert) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendRootCert. func (mg *SecretBackendRootCert) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -597,14 +477,6 @@ func (mg *SecretBackendRootCert) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendRootCert. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendRootCert) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendRootCert. func (mg *SecretBackendRootCert) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -635,14 +507,6 @@ func (mg *SecretBackendRootSignIntermediate) GetProviderConfigReference() *xpv1. return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendRootSignIntermediate. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendRootSignIntermediate) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendRootSignIntermediate. func (mg *SecretBackendRootSignIntermediate) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -673,14 +537,6 @@ func (mg *SecretBackendRootSignIntermediate) SetProviderConfigReference(r *xpv1. mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendRootSignIntermediate. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendRootSignIntermediate) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendRootSignIntermediate. func (mg *SecretBackendRootSignIntermediate) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -711,14 +567,6 @@ func (mg *SecretBackendSign) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendSign. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendSign) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendSign. func (mg *SecretBackendSign) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -749,14 +597,6 @@ func (mg *SecretBackendSign) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendSign. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendSign) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendSign. func (mg *SecretBackendSign) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/pki/v1alpha1/zz_generated.resolvers.go b/apis/pki/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..e9351a28 --- /dev/null +++ b/apis/pki/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,489 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretBackendCert. +func (mg *SecretBackendCert) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Name), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.ForProvider.NameRef, + Selector: mg.Spec.ForProvider.NameSelector, + To: reference.To{ + List: &SecretBackendRoleList{}, + Managed: &SecretBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Name") + } + mg.Spec.ForProvider.Name = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.NameRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Name), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.InitProvider.NameRef, + Selector: mg.Spec.InitProvider.NameSelector, + To: reference.To{ + List: &SecretBackendRoleList{}, + Managed: &SecretBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Name") + } + mg.Spec.InitProvider.Name = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.NameRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendConfigCA. +func (mg *SecretBackendConfigCA) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendConfigUrls. +func (mg *SecretBackendConfigUrls) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendCrlConfig. +func (mg *SecretBackendCrlConfig) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendIntermediateCertRequest. +func (mg *SecretBackendIntermediateCertRequest) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendIntermediateSetSigned. +func (mg *SecretBackendIntermediateSetSigned) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Certificate), + Extract: resource.ExtractParamPath("certificate", true), + Reference: mg.Spec.ForProvider.CertificateRef, + Selector: mg.Spec.ForProvider.CertificateSelector, + To: reference.To{ + List: &SecretBackendRootSignIntermediateList{}, + Managed: &SecretBackendRootSignIntermediate{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Certificate") + } + mg.Spec.ForProvider.Certificate = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.CertificateRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Certificate), + Extract: resource.ExtractParamPath("certificate", true), + Reference: mg.Spec.InitProvider.CertificateRef, + Selector: mg.Spec.InitProvider.CertificateSelector, + To: reference.To{ + List: &SecretBackendRootSignIntermediateList{}, + Managed: &SecretBackendRootSignIntermediate{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Certificate") + } + mg.Spec.InitProvider.Certificate = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.CertificateRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendRole. +func (mg *SecretBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendRootCert. +func (mg *SecretBackendRootCert) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendSign. +func (mg *SecretBackendSign) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Name), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.ForProvider.NameRef, + Selector: mg.Spec.ForProvider.NameSelector, + To: reference.To{ + List: &SecretBackendRoleList{}, + Managed: &SecretBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Name") + } + mg.Spec.ForProvider.Name = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.NameRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Name), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.InitProvider.NameRef, + Selector: mg.Spec.InitProvider.NameSelector, + To: reference.To{ + List: &SecretBackendRoleList{}, + Managed: &SecretBackendRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Name") + } + mg.Spec.InitProvider.Name = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.NameRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/pki/v1alpha1/zz_generated_terraformed.go b/apis/pki/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index 78116fbd..00000000 --- a/apis/pki/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,854 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendCert -func (mg *SecretBackendCert) GetTerraformResourceType() string { - return "vault_pki_secret_backend_cert" -} - -// GetConnectionDetailsMapping for this SecretBackendCert -func (tr *SecretBackendCert) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"private_key": "status.atProvider.privateKey"} -} - -// GetObservation of this SecretBackendCert -func (tr *SecretBackendCert) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendCert -func (tr *SecretBackendCert) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendCert -func (tr *SecretBackendCert) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendCert -func (tr *SecretBackendCert) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendCert -func (tr *SecretBackendCert) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendCert -func (tr *SecretBackendCert) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendCert using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendCert) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendCertParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendCert) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendConfigCA -func (mg *SecretBackendConfigCA) GetTerraformResourceType() string { - return "vault_pki_secret_backend_config_ca" -} - -// GetConnectionDetailsMapping for this SecretBackendConfigCA -func (tr *SecretBackendConfigCA) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"pem_bundle": "spec.forProvider.pemBundleSecretRef"} -} - -// GetObservation of this SecretBackendConfigCA -func (tr *SecretBackendConfigCA) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendConfigCA -func (tr *SecretBackendConfigCA) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendConfigCA -func (tr *SecretBackendConfigCA) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendConfigCA -func (tr *SecretBackendConfigCA) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendConfigCA -func (tr *SecretBackendConfigCA) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendConfigCA -func (tr *SecretBackendConfigCA) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendConfigCA using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendConfigCA) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendConfigCAParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendConfigCA) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendConfigUrls -func (mg *SecretBackendConfigUrls) GetTerraformResourceType() string { - return "vault_pki_secret_backend_config_urls" -} - -// GetConnectionDetailsMapping for this SecretBackendConfigUrls -func (tr *SecretBackendConfigUrls) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendConfigUrls -func (tr *SecretBackendConfigUrls) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendConfigUrls -func (tr *SecretBackendConfigUrls) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendConfigUrls -func (tr *SecretBackendConfigUrls) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendConfigUrls -func (tr *SecretBackendConfigUrls) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendConfigUrls -func (tr *SecretBackendConfigUrls) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendConfigUrls -func (tr *SecretBackendConfigUrls) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendConfigUrls using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendConfigUrls) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendConfigUrlsParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendConfigUrls) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendCrlConfig -func (mg *SecretBackendCrlConfig) GetTerraformResourceType() string { - return "vault_pki_secret_backend_crl_config" -} - -// GetConnectionDetailsMapping for this SecretBackendCrlConfig -func (tr *SecretBackendCrlConfig) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendCrlConfig -func (tr *SecretBackendCrlConfig) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendCrlConfig -func (tr *SecretBackendCrlConfig) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendCrlConfig -func (tr *SecretBackendCrlConfig) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendCrlConfig -func (tr *SecretBackendCrlConfig) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendCrlConfig -func (tr *SecretBackendCrlConfig) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendCrlConfig -func (tr *SecretBackendCrlConfig) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendCrlConfig using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendCrlConfig) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendCrlConfigParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendCrlConfig) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendIntermediateCertRequest -func (mg *SecretBackendIntermediateCertRequest) GetTerraformResourceType() string { - return "vault_pki_secret_backend_intermediate_cert_request" -} - -// GetConnectionDetailsMapping for this SecretBackendIntermediateCertRequest -func (tr *SecretBackendIntermediateCertRequest) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"private_key": "status.atProvider.privateKey"} -} - -// GetObservation of this SecretBackendIntermediateCertRequest -func (tr *SecretBackendIntermediateCertRequest) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendIntermediateCertRequest -func (tr *SecretBackendIntermediateCertRequest) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendIntermediateCertRequest -func (tr *SecretBackendIntermediateCertRequest) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendIntermediateCertRequest -func (tr *SecretBackendIntermediateCertRequest) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendIntermediateCertRequest -func (tr *SecretBackendIntermediateCertRequest) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendIntermediateCertRequest -func (tr *SecretBackendIntermediateCertRequest) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendIntermediateCertRequest using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendIntermediateCertRequest) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendIntermediateCertRequestParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendIntermediateCertRequest) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendIntermediateSetSigned -func (mg *SecretBackendIntermediateSetSigned) GetTerraformResourceType() string { - return "vault_pki_secret_backend_intermediate_set_signed" -} - -// GetConnectionDetailsMapping for this SecretBackendIntermediateSetSigned -func (tr *SecretBackendIntermediateSetSigned) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendIntermediateSetSigned -func (tr *SecretBackendIntermediateSetSigned) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendIntermediateSetSigned -func (tr *SecretBackendIntermediateSetSigned) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendIntermediateSetSigned -func (tr *SecretBackendIntermediateSetSigned) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendIntermediateSetSigned -func (tr *SecretBackendIntermediateSetSigned) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendIntermediateSetSigned -func (tr *SecretBackendIntermediateSetSigned) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendIntermediateSetSigned -func (tr *SecretBackendIntermediateSetSigned) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendIntermediateSetSigned using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendIntermediateSetSigned) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendIntermediateSetSignedParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendIntermediateSetSigned) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendRole -func (mg *SecretBackendRole) GetTerraformResourceType() string { - return "vault_pki_secret_backend_role" -} - -// GetConnectionDetailsMapping for this SecretBackendRole -func (tr *SecretBackendRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendRole -func (tr *SecretBackendRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendRole -func (tr *SecretBackendRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendRole -func (tr *SecretBackendRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendRole -func (tr *SecretBackendRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendRole -func (tr *SecretBackendRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendRole -func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendRole) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendRootCert -func (mg *SecretBackendRootCert) GetTerraformResourceType() string { - return "vault_pki_secret_backend_root_cert" -} - -// GetConnectionDetailsMapping for this SecretBackendRootCert -func (tr *SecretBackendRootCert) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendRootCert -func (tr *SecretBackendRootCert) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendRootCert -func (tr *SecretBackendRootCert) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendRootCert -func (tr *SecretBackendRootCert) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendRootCert -func (tr *SecretBackendRootCert) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendRootCert -func (tr *SecretBackendRootCert) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendRootCert -func (tr *SecretBackendRootCert) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendRootCert using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendRootCert) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendRootCertParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendRootCert) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendRootSignIntermediate -func (mg *SecretBackendRootSignIntermediate) GetTerraformResourceType() string { - return "vault_pki_secret_backend_root_sign_intermediate" -} - -// GetConnectionDetailsMapping for this SecretBackendRootSignIntermediate -func (tr *SecretBackendRootSignIntermediate) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendRootSignIntermediate -func (tr *SecretBackendRootSignIntermediate) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendRootSignIntermediate -func (tr *SecretBackendRootSignIntermediate) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendRootSignIntermediate -func (tr *SecretBackendRootSignIntermediate) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendRootSignIntermediate -func (tr *SecretBackendRootSignIntermediate) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendRootSignIntermediate -func (tr *SecretBackendRootSignIntermediate) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendRootSignIntermediate -func (tr *SecretBackendRootSignIntermediate) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendRootSignIntermediate using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendRootSignIntermediate) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendRootSignIntermediateParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendRootSignIntermediate) GetTerraformSchemaVersion() int { - return 2 -} - -// GetTerraformResourceType returns Terraform resource type for this SecretBackendSign -func (mg *SecretBackendSign) GetTerraformResourceType() string { - return "vault_pki_secret_backend_sign" -} - -// GetConnectionDetailsMapping for this SecretBackendSign -func (tr *SecretBackendSign) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this SecretBackendSign -func (tr *SecretBackendSign) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendSign -func (tr *SecretBackendSign) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendSign -func (tr *SecretBackendSign) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendSign -func (tr *SecretBackendSign) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendSign -func (tr *SecretBackendSign) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendSign -func (tr *SecretBackendSign) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendSign using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendSign) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendSignParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendSign) GetTerraformSchemaVersion() int { - return 1 -} diff --git a/apis/pki/v1alpha1/zz_secretbackendcert_terraformed.go b/apis/pki/v1alpha1/zz_secretbackendcert_terraformed.go new file mode 100755 index 00000000..989a1efe --- /dev/null +++ b/apis/pki/v1alpha1/zz_secretbackendcert_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendCert +func (mg *SecretBackendCert) GetTerraformResourceType() string { + return "vault_pki_secret_backend_cert" +} + +// GetConnectionDetailsMapping for this SecretBackendCert +func (tr *SecretBackendCert) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"private_key": "status.atProvider.privateKey"} +} + +// GetObservation of this SecretBackendCert +func (tr *SecretBackendCert) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendCert +func (tr *SecretBackendCert) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendCert +func (tr *SecretBackendCert) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendCert +func (tr *SecretBackendCert) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendCert +func (tr *SecretBackendCert) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendCert +func (tr *SecretBackendCert) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendCert +func (tr *SecretBackendCert) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendCert using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendCert) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendCertParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendCert) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/pki/v1alpha1/zz_secretbackendcert_types.go b/apis/pki/v1alpha1/zz_secretbackendcert_types.go index 48b0d4bf..daf4154f 100755 --- a/apis/pki/v1alpha1/zz_secretbackendcert_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendcert_types.go @@ -25,8 +25,18 @@ type SecretBackendCertInitParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // CN of certificate to create // CN of the certificate to create. CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"` @@ -52,8 +62,18 @@ type SecretBackendCertInitParameters struct { // Name of the role to create the certificate against // Name of the role to create the certificate against. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/pki/v1alpha1.SecretBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) Name *string `json:"name,omitempty" tf:"name,omitempty"` + // Reference to a SecretBackendRole in pki to populate name. + // +kubebuilder:validation:Optional + NameRef *v1.Reference `json:"nameRef,omitempty" tf:"-"` + + // Selector for a SecretBackendRole in pki to populate name. + // +kubebuilder:validation:Optional + NameSelector *v1.Selector `json:"nameSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -203,9 +223,19 @@ type SecretBackendCertParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // CN of certificate to create // CN of the certificate to create. // +kubebuilder:validation:Optional @@ -237,9 +267,19 @@ type SecretBackendCertParameters struct { // Name of the role to create the certificate against // Name of the role to create the certificate against. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/pki/v1alpha1.SecretBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) // +kubebuilder:validation:Optional Name *string `json:"name,omitempty" tf:"name,omitempty"` + // Reference to a SecretBackendRole in pki to populate name. + // +kubebuilder:validation:Optional + NameRef *v1.Reference `json:"nameRef,omitempty" tf:"-"` + + // Selector for a SecretBackendRole in pki to populate name. + // +kubebuilder:validation:Optional + NameSelector *v1.Selector `json:"nameSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -283,9 +323,8 @@ type SecretBackendCertParameters struct { type SecretBackendCertSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendCertParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -304,20 +343,19 @@ type SecretBackendCertStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendCert is the Schema for the SecretBackendCerts API. Generate an PKI certificate. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendCert struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || has(self.initProvider.commonName)",message="commonName is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || (has(self.initProvider) && has(self.initProvider.commonName))",message="spec.forProvider.commonName is a required parameter" Spec SecretBackendCertSpec `json:"spec"` Status SecretBackendCertStatus `json:"status,omitempty"` } diff --git a/apis/pki/v1alpha1/zz_secretbackendconfigca_terraformed.go b/apis/pki/v1alpha1/zz_secretbackendconfigca_terraformed.go new file mode 100755 index 00000000..28776d1a --- /dev/null +++ b/apis/pki/v1alpha1/zz_secretbackendconfigca_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendConfigCA +func (mg *SecretBackendConfigCA) GetTerraformResourceType() string { + return "vault_pki_secret_backend_config_ca" +} + +// GetConnectionDetailsMapping for this SecretBackendConfigCA +func (tr *SecretBackendConfigCA) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"pem_bundle": "pemBundleSecretRef"} +} + +// GetObservation of this SecretBackendConfigCA +func (tr *SecretBackendConfigCA) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendConfigCA +func (tr *SecretBackendConfigCA) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendConfigCA +func (tr *SecretBackendConfigCA) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendConfigCA +func (tr *SecretBackendConfigCA) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendConfigCA +func (tr *SecretBackendConfigCA) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendConfigCA +func (tr *SecretBackendConfigCA) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendConfigCA +func (tr *SecretBackendConfigCA) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendConfigCA using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendConfigCA) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendConfigCAParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendConfigCA) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/pki/v1alpha1/zz_secretbackendconfigca_types.go b/apis/pki/v1alpha1/zz_secretbackendconfigca_types.go index 8bccb755..c74347d9 100755 --- a/apis/pki/v1alpha1/zz_secretbackendconfigca_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendconfigca_types.go @@ -17,14 +17,28 @@ type SecretBackendConfigCAInitParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. // Available only for Vault Enterprise. // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + // The key and certificate PEM bundle + // The key and certificate PEM bundle. + PemBundleSecretRef v1.SecretKeySelector `json:"pemBundleSecretRef" tf:"-"` } type SecretBackendConfigCAObservation struct { @@ -47,9 +61,19 @@ type SecretBackendConfigCAParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -68,9 +92,8 @@ type SecretBackendConfigCAParameters struct { type SecretBackendConfigCASpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendConfigCAParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -89,19 +112,19 @@ type SecretBackendConfigCAStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendConfigCA is the Schema for the SecretBackendConfigCAs API. Submit the CA information to PKI. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendConfigCA struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.pemBundleSecretRef)",message="pemBundleSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.pemBundleSecretRef)",message="spec.forProvider.pemBundleSecretRef is a required parameter" Spec SecretBackendConfigCASpec `json:"spec"` Status SecretBackendConfigCAStatus `json:"status,omitempty"` } diff --git a/apis/pki/v1alpha1/zz_secretbackendconfigurls_terraformed.go b/apis/pki/v1alpha1/zz_secretbackendconfigurls_terraformed.go new file mode 100755 index 00000000..eb964844 --- /dev/null +++ b/apis/pki/v1alpha1/zz_secretbackendconfigurls_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendConfigUrls +func (mg *SecretBackendConfigUrls) GetTerraformResourceType() string { + return "vault_pki_secret_backend_config_urls" +} + +// GetConnectionDetailsMapping for this SecretBackendConfigUrls +func (tr *SecretBackendConfigUrls) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendConfigUrls +func (tr *SecretBackendConfigUrls) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendConfigUrls +func (tr *SecretBackendConfigUrls) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendConfigUrls +func (tr *SecretBackendConfigUrls) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendConfigUrls +func (tr *SecretBackendConfigUrls) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendConfigUrls +func (tr *SecretBackendConfigUrls) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendConfigUrls +func (tr *SecretBackendConfigUrls) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendConfigUrls +func (tr *SecretBackendConfigUrls) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendConfigUrls using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendConfigUrls) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendConfigUrlsParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendConfigUrls) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go b/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go index 352b4328..54cf22b8 100755 --- a/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go @@ -17,12 +17,26 @@ type SecretBackendConfigUrlsInitParameters struct { // The path the PKI secret backend is mounted at, with no leading or trailing /s. // The path of the PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Specifies the URL values for the CRL Distribution Points field. // Specifies the URL values for the CRL Distribution Points field. CrlDistributionPoints []*string `json:"crlDistributionPoints,omitempty" tf:"crl_distribution_points,omitempty"` + // Specifies that templating of AIA fields is allowed. + // Specifies that templating of AIA fields is allowed. + EnableTemplating *bool `json:"enableTemplating,omitempty" tf:"enable_templating,omitempty"` + // Specifies the URL values for the Issuing Certificate field. // Specifies the URL values for the Issuing Certificate field. IssuingCertificates []*string `json:"issuingCertificates,omitempty" tf:"issuing_certificates,omitempty"` @@ -49,6 +63,10 @@ type SecretBackendConfigUrlsObservation struct { // Specifies the URL values for the CRL Distribution Points field. CrlDistributionPoints []*string `json:"crlDistributionPoints,omitempty" tf:"crl_distribution_points,omitempty"` + // Specifies that templating of AIA fields is allowed. + // Specifies that templating of AIA fields is allowed. + EnableTemplating *bool `json:"enableTemplating,omitempty" tf:"enable_templating,omitempty"` + ID *string `json:"id,omitempty" tf:"id,omitempty"` // Specifies the URL values for the Issuing Certificate field. @@ -71,14 +89,29 @@ type SecretBackendConfigUrlsParameters struct { // The path the PKI secret backend is mounted at, with no leading or trailing /s. // The path of the PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Specifies the URL values for the CRL Distribution Points field. // Specifies the URL values for the CRL Distribution Points field. // +kubebuilder:validation:Optional CrlDistributionPoints []*string `json:"crlDistributionPoints,omitempty" tf:"crl_distribution_points,omitempty"` + // Specifies that templating of AIA fields is allowed. + // Specifies that templating of AIA fields is allowed. + // +kubebuilder:validation:Optional + EnableTemplating *bool `json:"enableTemplating,omitempty" tf:"enable_templating,omitempty"` + // Specifies the URL values for the Issuing Certificate field. // Specifies the URL values for the Issuing Certificate field. // +kubebuilder:validation:Optional @@ -102,9 +135,8 @@ type SecretBackendConfigUrlsParameters struct { type SecretBackendConfigUrlsSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendConfigUrlsParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -123,20 +155,20 @@ type SecretBackendConfigUrlsStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendConfigUrls is the Schema for the SecretBackendConfigUrlss API. Sets the config URL's on an PKI Secret Backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendConfigUrls struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - Spec SecretBackendConfigUrlsSpec `json:"spec"` - Status SecretBackendConfigUrlsStatus `json:"status,omitempty"` + Spec SecretBackendConfigUrlsSpec `json:"spec"` + Status SecretBackendConfigUrlsStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/pki/v1alpha1/zz_secretbackendcrlconfig_terraformed.go b/apis/pki/v1alpha1/zz_secretbackendcrlconfig_terraformed.go new file mode 100755 index 00000000..3ef8f33d --- /dev/null +++ b/apis/pki/v1alpha1/zz_secretbackendcrlconfig_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendCrlConfig +func (mg *SecretBackendCrlConfig) GetTerraformResourceType() string { + return "vault_pki_secret_backend_crl_config" +} + +// GetConnectionDetailsMapping for this SecretBackendCrlConfig +func (tr *SecretBackendCrlConfig) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendCrlConfig +func (tr *SecretBackendCrlConfig) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendCrlConfig +func (tr *SecretBackendCrlConfig) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendCrlConfig +func (tr *SecretBackendCrlConfig) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendCrlConfig +func (tr *SecretBackendCrlConfig) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendCrlConfig +func (tr *SecretBackendCrlConfig) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendCrlConfig +func (tr *SecretBackendCrlConfig) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendCrlConfig +func (tr *SecretBackendCrlConfig) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendCrlConfig using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendCrlConfig) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendCrlConfigParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendCrlConfig) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/pki/v1alpha1/zz_secretbackendcrlconfig_types.go b/apis/pki/v1alpha1/zz_secretbackendcrlconfig_types.go index 887c5606..df5e633c 100755 --- a/apis/pki/v1alpha1/zz_secretbackendcrlconfig_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendcrlconfig_types.go @@ -25,8 +25,18 @@ type SecretBackendCrlConfigInitParameters struct { // The path the PKI secret backend is mounted at, with no leading or trailing /s. // The path of the PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Enable cross-cluster revocation request queues. Vault 1.13+ // Enable cross-cluster revocation request queues. CrossClusterRevocation *bool `json:"crossClusterRevocation,omitempty" tf:"cross_cluster_revocation,omitempty"` @@ -151,9 +161,19 @@ type SecretBackendCrlConfigParameters struct { // The path the PKI secret backend is mounted at, with no leading or trailing /s. // The path of the PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Enable cross-cluster revocation request queues. Vault 1.13+ // Enable cross-cluster revocation request queues. // +kubebuilder:validation:Optional @@ -215,9 +235,8 @@ type SecretBackendCrlConfigParameters struct { type SecretBackendCrlConfigSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendCrlConfigParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -236,20 +255,20 @@ type SecretBackendCrlConfigStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendCrlConfig is the Schema for the SecretBackendCrlConfigs API. Sets the CRL config on an PKI Secret Backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendCrlConfig struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - Spec SecretBackendCrlConfigSpec `json:"spec"` - Status SecretBackendCrlConfigStatus `json:"status,omitempty"` + Spec SecretBackendCrlConfigSpec `json:"spec"` + Status SecretBackendCrlConfigStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_terraformed.go b/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_terraformed.go new file mode 100755 index 00000000..698d0a6f --- /dev/null +++ b/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendIntermediateCertRequest +func (mg *SecretBackendIntermediateCertRequest) GetTerraformResourceType() string { + return "vault_pki_secret_backend_intermediate_cert_request" +} + +// GetConnectionDetailsMapping for this SecretBackendIntermediateCertRequest +func (tr *SecretBackendIntermediateCertRequest) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"private_key": "status.atProvider.privateKey"} +} + +// GetObservation of this SecretBackendIntermediateCertRequest +func (tr *SecretBackendIntermediateCertRequest) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendIntermediateCertRequest +func (tr *SecretBackendIntermediateCertRequest) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendIntermediateCertRequest +func (tr *SecretBackendIntermediateCertRequest) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendIntermediateCertRequest +func (tr *SecretBackendIntermediateCertRequest) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendIntermediateCertRequest +func (tr *SecretBackendIntermediateCertRequest) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendIntermediateCertRequest +func (tr *SecretBackendIntermediateCertRequest) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendIntermediateCertRequest +func (tr *SecretBackendIntermediateCertRequest) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendIntermediateCertRequest using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendIntermediateCertRequest) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendIntermediateCertRequestParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendIntermediateCertRequest) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go b/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go index 335dfa83..f67e5157 100755 --- a/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go @@ -28,8 +28,18 @@ type SecretBackendIntermediateCertRequestInitParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // CN of intermediate to create // CN of intermediate to create. CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"` @@ -272,9 +282,19 @@ type SecretBackendIntermediateCertRequestParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // CN of intermediate to create // CN of intermediate to create. // +kubebuilder:validation:Optional @@ -398,9 +418,8 @@ type SecretBackendIntermediateCertRequestParameters struct { type SecretBackendIntermediateCertRequestSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendIntermediateCertRequestParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -419,20 +438,20 @@ type SecretBackendIntermediateCertRequestStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendIntermediateCertRequest is the Schema for the SecretBackendIntermediateCertRequests API. Generate a new private key and a CSR for signing the PKI. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendIntermediateCertRequest struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || has(self.initProvider.commonName)",message="commonName is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || (has(self.initProvider) && has(self.initProvider.commonName))",message="spec.forProvider.commonName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || (has(self.initProvider) && has(self.initProvider.type))",message="spec.forProvider.type is a required parameter" Spec SecretBackendIntermediateCertRequestSpec `json:"spec"` Status SecretBackendIntermediateCertRequestStatus `json:"status,omitempty"` } diff --git a/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_terraformed.go b/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_terraformed.go new file mode 100755 index 00000000..d309ec8a --- /dev/null +++ b/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendIntermediateSetSigned +func (mg *SecretBackendIntermediateSetSigned) GetTerraformResourceType() string { + return "vault_pki_secret_backend_intermediate_set_signed" +} + +// GetConnectionDetailsMapping for this SecretBackendIntermediateSetSigned +func (tr *SecretBackendIntermediateSetSigned) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendIntermediateSetSigned +func (tr *SecretBackendIntermediateSetSigned) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendIntermediateSetSigned +func (tr *SecretBackendIntermediateSetSigned) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendIntermediateSetSigned +func (tr *SecretBackendIntermediateSetSigned) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendIntermediateSetSigned +func (tr *SecretBackendIntermediateSetSigned) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendIntermediateSetSigned +func (tr *SecretBackendIntermediateSetSigned) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendIntermediateSetSigned +func (tr *SecretBackendIntermediateSetSigned) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendIntermediateSetSigned +func (tr *SecretBackendIntermediateSetSigned) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendIntermediateSetSigned using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendIntermediateSetSigned) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendIntermediateSetSignedParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendIntermediateSetSigned) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go b/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go index edd899e3..9f201c21 100755 --- a/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go @@ -17,14 +17,34 @@ type SecretBackendIntermediateSetSignedInitParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Specifies the PEM encoded certificate. May optionally append additional // CA certificates to populate the whole chain, which will then enable returning the full chain from // issue and sign operations. // The certificate. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/pki/v1alpha1.SecretBackendRootSignIntermediate + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("certificate",true) Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"` + // Reference to a SecretBackendRootSignIntermediate in pki to populate certificate. + // +kubebuilder:validation:Optional + CertificateRef *v1.Reference `json:"certificateRef,omitempty" tf:"-"` + + // Selector for a SecretBackendRootSignIntermediate in pki to populate certificate. + // +kubebuilder:validation:Optional + CertificateSelector *v1.Selector `json:"certificateSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -68,16 +88,36 @@ type SecretBackendIntermediateSetSignedParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Specifies the PEM encoded certificate. May optionally append additional // CA certificates to populate the whole chain, which will then enable returning the full chain from // issue and sign operations. // The certificate. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/pki/v1alpha1.SecretBackendRootSignIntermediate + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("certificate",true) // +kubebuilder:validation:Optional Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"` + // Reference to a SecretBackendRootSignIntermediate in pki to populate certificate. + // +kubebuilder:validation:Optional + CertificateRef *v1.Reference `json:"certificateRef,omitempty" tf:"-"` + + // Selector for a SecretBackendRootSignIntermediate in pki to populate certificate. + // +kubebuilder:validation:Optional + CertificateSelector *v1.Selector `json:"certificateSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -91,9 +131,8 @@ type SecretBackendIntermediateSetSignedParameters struct { type SecretBackendIntermediateSetSignedSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendIntermediateSetSignedParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -112,21 +151,20 @@ type SecretBackendIntermediateSetSignedStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendIntermediateSetSigned is the Schema for the SecretBackendIntermediateSetSigneds API. Submit the PKI CA certificate. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendIntermediateSetSigned struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.certificate) || has(self.initProvider.certificate)",message="certificate is a required parameter" - Spec SecretBackendIntermediateSetSignedSpec `json:"spec"` - Status SecretBackendIntermediateSetSignedStatus `json:"status,omitempty"` + Spec SecretBackendIntermediateSetSignedSpec `json:"spec"` + Status SecretBackendIntermediateSetSignedStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/pki/v1alpha1/zz_secretbackendrole_terraformed.go b/apis/pki/v1alpha1/zz_secretbackendrole_terraformed.go new file mode 100755 index 00000000..7d2eefaa --- /dev/null +++ b/apis/pki/v1alpha1/zz_secretbackendrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendRole +func (mg *SecretBackendRole) GetTerraformResourceType() string { + return "vault_pki_secret_backend_role" +} + +// GetConnectionDetailsMapping for this SecretBackendRole +func (tr *SecretBackendRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendRole +func (tr *SecretBackendRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendRole +func (tr *SecretBackendRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendRole +func (tr *SecretBackendRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendRole +func (tr *SecretBackendRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/pki/v1alpha1/zz_secretbackendrole_types.go b/apis/pki/v1alpha1/zz_secretbackendrole_types.go index 9d5cbf6a..770b56e5 100755 --- a/apis/pki/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendrole_types.go @@ -58,7 +58,7 @@ type PolicyIdentifierParameters struct { // The OID for the policy identifier // OID // +kubebuilder:validation:Optional - Oid *string `json:"oid,omitempty" tf:"oid,omitempty"` + Oid *string `json:"oid" tf:"oid,omitempty"` } type SecretBackendRoleInitParameters struct { @@ -121,8 +121,18 @@ type SecretBackendRoleInitParameters struct { // The path the PKI secret backend is mounted at, with no leading or trailing /s. // The path of the PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Flag to mark basic constraints valid when issuing non-CA certificates // Flag to mark basic constraints valid when issuing non-CA certificates. BasicConstraintsValidForNonCA *bool `json:"basicConstraintsValidForNonCa,omitempty" tf:"basic_constraints_valid_for_non_ca,omitempty"` @@ -529,9 +539,19 @@ type SecretBackendRoleParameters struct { // The path the PKI secret backend is mounted at, with no leading or trailing /s. // The path of the PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Flag to mark basic constraints valid when issuing non-CA certificates // Flag to mark basic constraints valid when issuing non-CA certificates. // +kubebuilder:validation:Optional @@ -701,9 +721,8 @@ type SecretBackendRoleParameters struct { type SecretBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -722,19 +741,19 @@ type SecretBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendRole is the Schema for the SecretBackendRoles API. Create a role on an PKI Secret Backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec SecretBackendRoleSpec `json:"spec"` Status SecretBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/pki/v1alpha1/zz_secretbackendrootcert_terraformed.go b/apis/pki/v1alpha1/zz_secretbackendrootcert_terraformed.go new file mode 100755 index 00000000..7d4cff53 --- /dev/null +++ b/apis/pki/v1alpha1/zz_secretbackendrootcert_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendRootCert +func (mg *SecretBackendRootCert) GetTerraformResourceType() string { + return "vault_pki_secret_backend_root_cert" +} + +// GetConnectionDetailsMapping for this SecretBackendRootCert +func (tr *SecretBackendRootCert) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendRootCert +func (tr *SecretBackendRootCert) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendRootCert +func (tr *SecretBackendRootCert) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendRootCert +func (tr *SecretBackendRootCert) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendRootCert +func (tr *SecretBackendRootCert) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendRootCert +func (tr *SecretBackendRootCert) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendRootCert +func (tr *SecretBackendRootCert) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendRootCert +func (tr *SecretBackendRootCert) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendRootCert using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendRootCert) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendRootCertParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendRootCert) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go b/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go index 41447e4e..5be5bc4f 100755 --- a/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go @@ -21,8 +21,18 @@ type SecretBackendRootCertInitParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // CN of intermediate to create // CN of root to create. CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"` @@ -261,10 +271,6 @@ type SecretBackendRootCertObservation struct { // The province. Province *string `json:"province,omitempty" tf:"province,omitempty"` - // Deprecated, use serial_number instead. - // The serial number. - Serial *string `json:"serial,omitempty" tf:"serial,omitempty"` - // The certificate's serial number, hex formatted. // The certificate's serial number, hex formatted. SerialNumber *string `json:"serialNumber,omitempty" tf:"serial_number,omitempty"` @@ -296,9 +302,19 @@ type SecretBackendRootCertParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // CN of intermediate to create // CN of root to create. // +kubebuilder:validation:Optional @@ -443,9 +459,8 @@ type SecretBackendRootCertParameters struct { type SecretBackendRootCertSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendRootCertParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -464,20 +479,20 @@ type SecretBackendRootCertStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendRootCert is the Schema for the SecretBackendRootCerts API. Generate root. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendRootCert struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || has(self.initProvider.commonName)",message="commonName is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || (has(self.initProvider) && has(self.initProvider.commonName))",message="spec.forProvider.commonName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || (has(self.initProvider) && has(self.initProvider.type))",message="spec.forProvider.type is a required parameter" Spec SecretBackendRootCertSpec `json:"spec"` Status SecretBackendRootCertStatus `json:"status,omitempty"` } diff --git a/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_terraformed.go b/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_terraformed.go new file mode 100755 index 00000000..cd5a9e4d --- /dev/null +++ b/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendRootSignIntermediate +func (mg *SecretBackendRootSignIntermediate) GetTerraformResourceType() string { + return "vault_pki_secret_backend_root_sign_intermediate" +} + +// GetConnectionDetailsMapping for this SecretBackendRootSignIntermediate +func (tr *SecretBackendRootSignIntermediate) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendRootSignIntermediate +func (tr *SecretBackendRootSignIntermediate) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendRootSignIntermediate +func (tr *SecretBackendRootSignIntermediate) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendRootSignIntermediate +func (tr *SecretBackendRootSignIntermediate) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendRootSignIntermediate +func (tr *SecretBackendRootSignIntermediate) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendRootSignIntermediate +func (tr *SecretBackendRootSignIntermediate) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendRootSignIntermediate +func (tr *SecretBackendRootSignIntermediate) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendRootSignIntermediate +func (tr *SecretBackendRootSignIntermediate) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendRootSignIntermediate using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendRootSignIntermediate) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendRootSignIntermediateParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendRootSignIntermediate) GetTerraformSchemaVersion() int { + return 2 +} diff --git a/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go b/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go index ac51d0d9..98d70f9c 100755 --- a/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go @@ -158,9 +158,6 @@ type SecretBackendRootSignIntermediateObservation struct { // Revoke the certificate upon resource destruction. Revoke *bool `json:"revoke,omitempty" tf:"revoke,omitempty"` - // The serial number. - Serial *string `json:"serial,omitempty" tf:"serial,omitempty"` - // The certificate's serial number, hex formatted. SerialNumber *string `json:"serialNumber,omitempty" tf:"serial_number,omitempty"` @@ -276,9 +273,8 @@ type SecretBackendRootSignIntermediateParameters struct { type SecretBackendRootSignIntermediateSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendRootSignIntermediateParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -297,20 +293,21 @@ type SecretBackendRootSignIntermediateStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendRootSignIntermediate is the Schema for the SecretBackendRootSignIntermediates API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendRootSignIntermediate struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || has(self.initProvider.commonName)",message="commonName is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.csr) || has(self.initProvider.csr)",message="csr is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || (has(self.initProvider) && has(self.initProvider.backend))",message="spec.forProvider.backend is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || (has(self.initProvider) && has(self.initProvider.commonName))",message="spec.forProvider.commonName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.csr) || (has(self.initProvider) && has(self.initProvider.csr))",message="spec.forProvider.csr is a required parameter" Spec SecretBackendRootSignIntermediateSpec `json:"spec"` Status SecretBackendRootSignIntermediateStatus `json:"status,omitempty"` } diff --git a/apis/pki/v1alpha1/zz_secretbackendsign_terraformed.go b/apis/pki/v1alpha1/zz_secretbackendsign_terraformed.go new file mode 100755 index 00000000..2cccdd29 --- /dev/null +++ b/apis/pki/v1alpha1/zz_secretbackendsign_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendSign +func (mg *SecretBackendSign) GetTerraformResourceType() string { + return "vault_pki_secret_backend_sign" +} + +// GetConnectionDetailsMapping for this SecretBackendSign +func (tr *SecretBackendSign) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this SecretBackendSign +func (tr *SecretBackendSign) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendSign +func (tr *SecretBackendSign) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendSign +func (tr *SecretBackendSign) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendSign +func (tr *SecretBackendSign) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendSign +func (tr *SecretBackendSign) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendSign +func (tr *SecretBackendSign) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendSign +func (tr *SecretBackendSign) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendSign using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendSign) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendSignParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendSign) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/pki/v1alpha1/zz_secretbackendsign_types.go b/apis/pki/v1alpha1/zz_secretbackendsign_types.go index 23e388b0..e38cfcb5 100755 --- a/apis/pki/v1alpha1/zz_secretbackendsign_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendsign_types.go @@ -25,8 +25,18 @@ type SecretBackendSignInitParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // CN of certificate to create // CN of intermediate to create. CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"` @@ -60,8 +70,18 @@ type SecretBackendSignInitParameters struct { // Name of the role to create the certificate against // Name of the role to create the certificate against. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/pki/v1alpha1.SecretBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) Name *string `json:"name,omitempty" tf:"name,omitempty"` + // Reference to a SecretBackendRole in pki to populate name. + // +kubebuilder:validation:Optional + NameRef *v1.Reference `json:"nameRef,omitempty" tf:"-"` + + // Selector for a SecretBackendRole in pki to populate name. + // +kubebuilder:validation:Optional + NameSelector *v1.Selector `json:"nameSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -164,10 +184,6 @@ type SecretBackendSignObservation struct { // Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future. RenewPending *bool `json:"renewPending,omitempty" tf:"renew_pending,omitempty"` - // Use serial_number instead. - // The serial number. - Serial *string `json:"serial,omitempty" tf:"serial,omitempty"` - // The certificate's serial number, hex formatted. // The certificate's serial number, hex formatted. SerialNumber *string `json:"serialNumber,omitempty" tf:"serial_number,omitempty"` @@ -195,9 +211,19 @@ type SecretBackendSignParameters struct { // The PKI secret backend the resource belongs to. // The PKI secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // CN of certificate to create // CN of intermediate to create. // +kubebuilder:validation:Optional @@ -238,9 +264,19 @@ type SecretBackendSignParameters struct { // Name of the role to create the certificate against // Name of the role to create the certificate against. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/pki/v1alpha1.SecretBackendRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) // +kubebuilder:validation:Optional Name *string `json:"name,omitempty" tf:"name,omitempty"` + // Reference to a SecretBackendRole in pki to populate name. + // +kubebuilder:validation:Optional + NameRef *v1.Reference `json:"nameRef,omitempty" tf:"-"` + + // Selector for a SecretBackendRole in pki to populate name. + // +kubebuilder:validation:Optional + NameSelector *v1.Selector `json:"nameSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -269,9 +305,8 @@ type SecretBackendSignParameters struct { type SecretBackendSignSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendSignParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -290,21 +325,20 @@ type SecretBackendSignStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendSign is the Schema for the SecretBackendSigns API. Sign a new certificate based on the CSR by the PKI. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendSign struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || has(self.initProvider.commonName)",message="commonName is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.csr) || has(self.initProvider.csr)",message="csr is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.commonName) || (has(self.initProvider) && has(self.initProvider.commonName))",message="spec.forProvider.commonName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.csr) || (has(self.initProvider) && has(self.initProvider.csr))",message="spec.forProvider.csr is a required parameter" Spec SecretBackendSignSpec `json:"spec"` Status SecretBackendSignStatus `json:"status,omitempty"` } diff --git a/apis/quota/v1alpha1/zz_generated.conversion_hubs.go b/apis/quota/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..e1357e5c --- /dev/null +++ b/apis/quota/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,13 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *LeaseCount) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *RateLimit) Hub() {} diff --git a/apis/quota/v1alpha1/zz_generated.deepcopy.go b/apis/quota/v1alpha1/zz_generated.deepcopy.go index 9acce5f3..3d05021a 100644 --- a/apis/quota/v1alpha1/zz_generated.deepcopy.go +++ b/apis/quota/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -43,6 +42,11 @@ func (in *LeaseCount) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LeaseCountInitParameters) DeepCopyInto(out *LeaseCountInitParameters) { *out = *in + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.MaxLeases != nil { in, out := &in.MaxLeases, &out.MaxLeases *out = new(float64) @@ -120,6 +124,11 @@ func (in *LeaseCountObservation) DeepCopyInto(out *LeaseCountObservation) { *out = new(string) **out = **in } + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.MaxLeases != nil { in, out := &in.MaxLeases, &out.MaxLeases *out = new(float64) @@ -160,6 +169,11 @@ func (in *LeaseCountObservation) DeepCopy() *LeaseCountObservation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LeaseCountParameters) DeepCopyInto(out *LeaseCountParameters) { *out = *in + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.MaxLeases != nil { in, out := &in.MaxLeases, &out.MaxLeases *out = new(float64) @@ -267,6 +281,11 @@ func (in *RateLimitInitParameters) DeepCopyInto(out *RateLimitInitParameters) { *out = new(float64) **out = **in } + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.Interval != nil { in, out := &in.Interval, &out.Interval *out = new(float64) @@ -354,6 +373,11 @@ func (in *RateLimitObservation) DeepCopyInto(out *RateLimitObservation) { *out = new(string) **out = **in } + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.Interval != nil { in, out := &in.Interval, &out.Interval *out = new(float64) @@ -404,6 +428,11 @@ func (in *RateLimitParameters) DeepCopyInto(out *RateLimitParameters) { *out = new(float64) **out = **in } + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.Interval != nil { in, out := &in.Interval, &out.Interval *out = new(float64) diff --git a/apis/quota/v1alpha1/zz_generated.managed.go b/apis/quota/v1alpha1/zz_generated.managed.go index d84dfeba..60e328a1 100644 --- a/apis/quota/v1alpha1/zz_generated.managed.go +++ b/apis/quota/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *LeaseCount) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this LeaseCount. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *LeaseCount) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this LeaseCount. func (mg *LeaseCount) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *LeaseCount) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this LeaseCount. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *LeaseCount) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this LeaseCount. func (mg *LeaseCount) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *RateLimit) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this RateLimit. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *RateLimit) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this RateLimit. func (mg *RateLimit) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *RateLimit) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this RateLimit. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *RateLimit) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this RateLimit. func (mg *RateLimit) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/quota/v1alpha1/zz_generated_terraformed.go b/apis/quota/v1alpha1/zz_leasecount_terraformed.go similarity index 51% rename from apis/quota/v1alpha1/zz_generated_terraformed.go rename to apis/quota/v1alpha1/zz_leasecount_terraformed.go index 00aa4829..8d61b208 100755 --- a/apis/quota/v1alpha1/zz_generated_terraformed.go +++ b/apis/quota/v1alpha1/zz_leasecount_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this LeaseCount @@ -79,94 +80,40 @@ func (tr *LeaseCount) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } -// LateInitialize this LeaseCount using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *LeaseCount) LateInitialize(attrs []byte) (bool, error) { - params := &LeaseCountParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *LeaseCount) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this RateLimit -func (mg *RateLimit) GetTerraformResourceType() string { - return "vault_quota_rate_limit" -} - -// GetConnectionDetailsMapping for this RateLimit -func (tr *RateLimit) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this RateLimit -func (tr *RateLimit) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this RateLimit -func (tr *RateLimit) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) +// GetInitParameters of this LeaseCount +func (tr *LeaseCount) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() if err != nil { - return err + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this RateLimit -func (tr *RateLimit) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" + if !shouldMergeInitProvider { + return params, nil } - return *tr.Status.AtProvider.ID -} -// GetParameters of this RateLimit -func (tr *RateLimit) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + initParams, err := tr.GetInitParameters() if err != nil { - return nil, err + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} -// SetParameters for this RateLimit -func (tr *RateLimit) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) if err != nil { - return err + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} -// GetInitParameters of this RateLimit -func (tr *RateLimit) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) + return params, nil } -// LateInitialize this RateLimit using its observed tfState. +// LateInitialize this LeaseCount using its observed tfState. // returns True if there are any spec changes for the resource. -func (tr *RateLimit) LateInitialize(attrs []byte) (bool, error) { - params := &RateLimitParameters{} +func (tr *LeaseCount) LateInitialize(attrs []byte) (bool, error) { + params := &LeaseCountParameters{} if err := json.TFParser.Unmarshal(attrs, params); err != nil { return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") } @@ -177,6 +124,6 @@ func (tr *RateLimit) LateInitialize(attrs []byte) (bool, error) { } // GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *RateLimit) GetTerraformSchemaVersion() int { +func (tr *LeaseCount) GetTerraformSchemaVersion() int { return 0 } diff --git a/apis/quota/v1alpha1/zz_leasecount_types.go b/apis/quota/v1alpha1/zz_leasecount_types.go index f1db68b4..05f96711 100755 --- a/apis/quota/v1alpha1/zz_leasecount_types.go +++ b/apis/quota/v1alpha1/zz_leasecount_types.go @@ -15,6 +15,10 @@ import ( type LeaseCountInitParameters struct { + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The maximum number of leases to be allowed by the quota // rule. The max_leases must be positive. // The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. @@ -48,6 +52,10 @@ type LeaseCountInitParameters struct { type LeaseCountObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The maximum number of leases to be allowed by the quota // rule. The max_leases must be positive. // The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. @@ -80,6 +88,11 @@ type LeaseCountObservation struct { type LeaseCountParameters struct { + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + // +kubebuilder:validation:Optional + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The maximum number of leases to be allowed by the quota // rule. The max_leases must be positive. // The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. @@ -119,9 +132,8 @@ type LeaseCountParameters struct { type LeaseCountSpec struct { v1.ResourceSpec `json:",inline"` ForProvider LeaseCountParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -140,19 +152,20 @@ type LeaseCountStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // LeaseCount is the Schema for the LeaseCounts API. Manage Lease Count Quota -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type LeaseCount struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.maxLeases) || has(self.initProvider.maxLeases)",message="maxLeases is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.maxLeases) || (has(self.initProvider) && has(self.initProvider.maxLeases))",message="spec.forProvider.maxLeases is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec LeaseCountSpec `json:"spec"` Status LeaseCountStatus `json:"status,omitempty"` } diff --git a/apis/quota/v1alpha1/zz_ratelimit_terraformed.go b/apis/quota/v1alpha1/zz_ratelimit_terraformed.go new file mode 100755 index 00000000..a185a470 --- /dev/null +++ b/apis/quota/v1alpha1/zz_ratelimit_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this RateLimit +func (mg *RateLimit) GetTerraformResourceType() string { + return "vault_quota_rate_limit" +} + +// GetConnectionDetailsMapping for this RateLimit +func (tr *RateLimit) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this RateLimit +func (tr *RateLimit) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this RateLimit +func (tr *RateLimit) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this RateLimit +func (tr *RateLimit) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this RateLimit +func (tr *RateLimit) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this RateLimit +func (tr *RateLimit) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this RateLimit +func (tr *RateLimit) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this RateLimit +func (tr *RateLimit) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this RateLimit using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *RateLimit) LateInitialize(attrs []byte) (bool, error) { + params := &RateLimitParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *RateLimit) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/quota/v1alpha1/zz_ratelimit_types.go b/apis/quota/v1alpha1/zz_ratelimit_types.go index b7076e11..89c97619 100755 --- a/apis/quota/v1alpha1/zz_ratelimit_types.go +++ b/apis/quota/v1alpha1/zz_ratelimit_types.go @@ -20,6 +20,10 @@ type RateLimitInitParameters struct { // If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. BlockInterval *float64 `json:"blockInterval,omitempty" tf:"block_interval,omitempty"` + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The duration in seconds to enforce rate limiting for. // The duration in seconds to enforce rate limiting for. Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"` @@ -63,6 +67,10 @@ type RateLimitObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The duration in seconds to enforce rate limiting for. // The duration in seconds to enforce rate limiting for. Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"` @@ -105,6 +113,11 @@ type RateLimitParameters struct { // +kubebuilder:validation:Optional BlockInterval *float64 `json:"blockInterval,omitempty" tf:"block_interval,omitempty"` + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + // +kubebuilder:validation:Optional + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The duration in seconds to enforce rate limiting for. // The duration in seconds to enforce rate limiting for. // +kubebuilder:validation:Optional @@ -149,9 +162,8 @@ type RateLimitParameters struct { type RateLimitSpec struct { v1.ResourceSpec `json:",inline"` ForProvider RateLimitParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -170,19 +182,20 @@ type RateLimitStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // RateLimit is the Schema for the RateLimits API. Manage Rate Limit Quota -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type RateLimit struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.rate) || has(self.initProvider.rate)",message="rate is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.rate) || (has(self.initProvider) && has(self.initProvider.rate))",message="spec.forProvider.rate is a required parameter" Spec RateLimitSpec `json:"spec"` Status RateLimitStatus `json:"status,omitempty"` } diff --git a/apis/rabbitmq/v1alpha1/zz_generated.conversion_hubs.go b/apis/rabbitmq/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..bd5a0ce0 --- /dev/null +++ b/apis/rabbitmq/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,13 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *SecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendRole) Hub() {} diff --git a/apis/rabbitmq/v1alpha1/zz_generated.deepcopy.go b/apis/rabbitmq/v1alpha1/zz_generated.deepcopy.go index 46aea536..13b69715 100644 --- a/apis/rabbitmq/v1alpha1/zz_generated.deepcopy.go +++ b/apis/rabbitmq/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -78,11 +78,13 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + out.PasswordSecretRef = in.PasswordSecretRef if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + out.UsernameSecretRef = in.UsernameSecretRef if in.UsernameTemplate != nil { in, out := &in.UsernameTemplate, &out.UsernameTemplate *out = new(string) @@ -309,6 +311,16 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) @@ -444,6 +456,16 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Name != nil { in, out := &in.Name, &out.Name *out = new(string) diff --git a/apis/rabbitmq/v1alpha1/zz_generated.managed.go b/apis/rabbitmq/v1alpha1/zz_generated.managed.go index d73589a2..c96d3bed 100644 --- a/apis/rabbitmq/v1alpha1/zz_generated.managed.go +++ b/apis/rabbitmq/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *SecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *SecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackend. func (mg *SecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SecretBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SecretBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/rabbitmq/v1alpha1/zz_generated.resolvers.go b/apis/rabbitmq/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..e48613cc --- /dev/null +++ b/apis/rabbitmq/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,56 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretBackendRole. +func (mg *SecretBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &SecretBackendList{}, + Managed: &SecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/rabbitmq/v1alpha1/zz_secretbackend_terraformed.go b/apis/rabbitmq/v1alpha1/zz_secretbackend_terraformed.go new file mode 100755 index 00000000..c77abd3a --- /dev/null +++ b/apis/rabbitmq/v1alpha1/zz_secretbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackend +func (mg *SecretBackend) GetTerraformResourceType() string { + return "vault_rabbitmq_secret_backend" +} + +// GetConnectionDetailsMapping for this SecretBackend +func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"password": "passwordSecretRef", "username": "usernameSecretRef"} +} + +// GetObservation of this SecretBackend +func (tr *SecretBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackend +func (tr *SecretBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackend +func (tr *SecretBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackend +func (tr *SecretBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackend +func (tr *SecretBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackend +func (tr *SecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/rabbitmq/v1alpha1/zz_secretbackend_types.go b/apis/rabbitmq/v1alpha1/zz_secretbackend_types.go index 6762f736..ecc49b6b 100755 --- a/apis/rabbitmq/v1alpha1/zz_secretbackend_types.go +++ b/apis/rabbitmq/v1alpha1/zz_secretbackend_types.go @@ -49,11 +49,19 @@ type SecretBackendInitParameters struct { // Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"` + // Specifies the RabbitMQ management administrator password. + // Specifies the RabbitMQ management administrator password + PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"` + // The unique path this backend should be mounted at. Must // not begin or end with a /. Defaults to rabbitmq. // The path of the RabbitMQ Secret Backend where the connection should be configured Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the RabbitMQ management administrator username. + // Specifies the RabbitMQ management administrator username + UsernameSecretRef v1.SecretKeySelector `json:"usernameSecretRef" tf:"-"` + // Template describing how dynamic usernames are generated. // Template describing how dynamic usernames are generated. UsernameTemplate *string `json:"usernameTemplate,omitempty" tf:"username_template,omitempty"` @@ -192,9 +200,8 @@ type SecretBackendParameters struct { type SecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -213,20 +220,21 @@ type SecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackend is the Schema for the SecretBackends API. Creates an RabbitMQ secret backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.connectionUri) || has(self.initProvider.connectionUri)",message="connectionUri is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.passwordSecretRef)",message="passwordSecretRef is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.usernameSecretRef)",message="usernameSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.connectionUri) || (has(self.initProvider) && has(self.initProvider.connectionUri))",message="spec.forProvider.connectionUri is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.passwordSecretRef)",message="spec.forProvider.passwordSecretRef is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.usernameSecretRef)",message="spec.forProvider.usernameSecretRef is a required parameter" Spec SecretBackendSpec `json:"spec"` Status SecretBackendStatus `json:"status,omitempty"` } diff --git a/apis/rabbitmq/v1alpha1/zz_generated_terraformed.go b/apis/rabbitmq/v1alpha1/zz_secretbackendrole_terraformed.go similarity index 51% rename from apis/rabbitmq/v1alpha1/zz_generated_terraformed.go rename to apis/rabbitmq/v1alpha1/zz_secretbackendrole_terraformed.go index 71dea3ab..f86f7277 100755 --- a/apis/rabbitmq/v1alpha1/zz_generated_terraformed.go +++ b/apis/rabbitmq/v1alpha1/zz_secretbackendrole_terraformed.go @@ -7,96 +7,13 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) -// GetTerraformResourceType returns Terraform resource type for this SecretBackend -func (mg *SecretBackend) GetTerraformResourceType() string { - return "vault_rabbitmq_secret_backend" -} - -// GetConnectionDetailsMapping for this SecretBackend -func (tr *SecretBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"password": "spec.forProvider.passwordSecretRef", "username": "spec.forProvider.usernameSecretRef"} -} - -// GetObservation of this SecretBackend -func (tr *SecretBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackend -func (tr *SecretBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackend -func (tr *SecretBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackend -func (tr *SecretBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackend -func (tr *SecretBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackend -func (tr *SecretBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 1 -} - // GetTerraformResourceType returns Terraform resource type for this SecretBackendRole func (mg *SecretBackendRole) GetTerraformResourceType() string { return "vault_rabbitmq_secret_backend_role" @@ -163,6 +80,36 @@ func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this SecretBackendRole using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/rabbitmq/v1alpha1/zz_secretbackendrole_types.go b/apis/rabbitmq/v1alpha1/zz_secretbackendrole_types.go index cd602734..effc992e 100755 --- a/apis/rabbitmq/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/rabbitmq/v1alpha1/zz_secretbackendrole_types.go @@ -18,8 +18,18 @@ type SecretBackendRoleInitParameters struct { // The path the RabbitMQ secret backend is mounted at, // with no leading or trailing /s. // The path of the Rabbitmq Secret Backend the role belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/rabbitmq/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in rabbitmq to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in rabbitmq to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The name to identify this role within the backend. // Must be unique within the backend. // Unique name for the role. @@ -84,9 +94,19 @@ type SecretBackendRoleParameters struct { // The path the RabbitMQ secret backend is mounted at, // with no leading or trailing /s. // The path of the Rabbitmq Secret Backend the role belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/rabbitmq/v1alpha1.SecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a SecretBackend in rabbitmq to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a SecretBackend in rabbitmq to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The name to identify this role within the backend. // Must be unique within the backend. // Unique name for the role. @@ -151,19 +171,19 @@ type VhostParameters struct { // The configure permissions for this vhost. // +kubebuilder:validation:Optional - Configure *string `json:"configure,omitempty" tf:"configure,omitempty"` + Configure *string `json:"configure" tf:"configure,omitempty"` // The vhost to set permissions for. // +kubebuilder:validation:Optional - Host *string `json:"host,omitempty" tf:"host,omitempty"` + Host *string `json:"host" tf:"host,omitempty"` // The read permissions for this vhost. // +kubebuilder:validation:Optional - Read *string `json:"read,omitempty" tf:"read,omitempty"` + Read *string `json:"read" tf:"read,omitempty"` // The write permissions for this vhost. // +kubebuilder:validation:Optional - Write *string `json:"write,omitempty" tf:"write,omitempty"` + Write *string `json:"write" tf:"write,omitempty"` } type VhostTopicInitParameters struct { @@ -190,7 +210,7 @@ type VhostTopicParameters struct { // The vhost to set permissions for. // +kubebuilder:validation:Optional - Host *string `json:"host,omitempty" tf:"host,omitempty"` + Host *string `json:"host" tf:"host,omitempty"` // Specifies a map of virtual hosts to permissions. // Specifies a map of virtual hosts to permissions. @@ -226,24 +246,23 @@ type VhostTopicVhostParameters struct { // The read permissions for this vhost. // +kubebuilder:validation:Optional - Read *string `json:"read,omitempty" tf:"read,omitempty"` + Read *string `json:"read" tf:"read,omitempty"` // The vhost to set permissions for. // +kubebuilder:validation:Optional - Topic *string `json:"topic,omitempty" tf:"topic,omitempty"` + Topic *string `json:"topic" tf:"topic,omitempty"` // The write permissions for this vhost. // +kubebuilder:validation:Optional - Write *string `json:"write,omitempty" tf:"write,omitempty"` + Write *string `json:"write" tf:"write,omitempty"` } // SecretBackendRoleSpec defines the desired state of SecretBackendRole type SecretBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -262,19 +281,19 @@ type SecretBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendRole is the Schema for the SecretBackendRoles API. Creates a role on an RabbitMQ Secret Backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec SecretBackendRoleSpec `json:"spec"` Status SecretBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/raft/v1alpha1/zz_autopilot_terraformed.go b/apis/raft/v1alpha1/zz_autopilot_terraformed.go new file mode 100755 index 00000000..c87fac5b --- /dev/null +++ b/apis/raft/v1alpha1/zz_autopilot_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Autopilot +func (mg *Autopilot) GetTerraformResourceType() string { + return "vault_raft_autopilot" +} + +// GetConnectionDetailsMapping for this Autopilot +func (tr *Autopilot) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Autopilot +func (tr *Autopilot) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Autopilot +func (tr *Autopilot) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Autopilot +func (tr *Autopilot) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Autopilot +func (tr *Autopilot) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Autopilot +func (tr *Autopilot) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Autopilot +func (tr *Autopilot) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Autopilot +func (tr *Autopilot) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Autopilot using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Autopilot) LateInitialize(attrs []byte) (bool, error) { + params := &AutopilotParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Autopilot) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/raft/v1alpha1/zz_autopilot_types.go b/apis/raft/v1alpha1/zz_autopilot_types.go index 94f10846..59568115 100755 --- a/apis/raft/v1alpha1/zz_autopilot_types.go +++ b/apis/raft/v1alpha1/zz_autopilot_types.go @@ -162,9 +162,8 @@ type AutopilotParameters struct { type AutopilotSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AutopilotParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -183,13 +182,14 @@ type AutopilotStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Autopilot is the Schema for the Autopilots API. Configures Raft's Autopilot capabilities. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Autopilot struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/raft/v1alpha1/zz_generated.conversion_hubs.go b/apis/raft/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..a0b421d5 --- /dev/null +++ b/apis/raft/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,13 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Autopilot) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SnapshotAgentConfig) Hub() {} diff --git a/apis/raft/v1alpha1/zz_generated.deepcopy.go b/apis/raft/v1alpha1/zz_generated.deepcopy.go index aab9d1a3..dc4e4abd 100644 --- a/apis/raft/v1alpha1/zz_generated.deepcopy.go +++ b/apis/raft/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. diff --git a/apis/raft/v1alpha1/zz_generated.managed.go b/apis/raft/v1alpha1/zz_generated.managed.go index 287cbcd7..bd3df73f 100644 --- a/apis/raft/v1alpha1/zz_generated.managed.go +++ b/apis/raft/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Autopilot) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Autopilot. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Autopilot) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Autopilot. func (mg *Autopilot) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Autopilot) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Autopilot. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Autopilot) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Autopilot. func (mg *Autopilot) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SnapshotAgentConfig) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SnapshotAgentConfig. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SnapshotAgentConfig) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SnapshotAgentConfig. func (mg *SnapshotAgentConfig) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SnapshotAgentConfig) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SnapshotAgentConfig. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SnapshotAgentConfig) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SnapshotAgentConfig. func (mg *SnapshotAgentConfig) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/raft/v1alpha1/zz_generated_terraformed.go b/apis/raft/v1alpha1/zz_snapshotagentconfig_terraformed.go similarity index 53% rename from apis/raft/v1alpha1/zz_generated_terraformed.go rename to apis/raft/v1alpha1/zz_snapshotagentconfig_terraformed.go index 3893c9a0..7aae7589 100755 --- a/apis/raft/v1alpha1/zz_generated_terraformed.go +++ b/apis/raft/v1alpha1/zz_snapshotagentconfig_terraformed.go @@ -7,96 +7,13 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) -// GetTerraformResourceType returns Terraform resource type for this Autopilot -func (mg *Autopilot) GetTerraformResourceType() string { - return "vault_raft_autopilot" -} - -// GetConnectionDetailsMapping for this Autopilot -func (tr *Autopilot) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Autopilot -func (tr *Autopilot) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Autopilot -func (tr *Autopilot) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Autopilot -func (tr *Autopilot) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Autopilot -func (tr *Autopilot) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Autopilot -func (tr *Autopilot) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Autopilot -func (tr *Autopilot) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Autopilot using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Autopilot) LateInitialize(attrs []byte) (bool, error) { - params := &AutopilotParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Autopilot) GetTerraformSchemaVersion() int { - return 0 -} - // GetTerraformResourceType returns Terraform resource type for this SnapshotAgentConfig func (mg *SnapshotAgentConfig) GetTerraformResourceType() string { return "vault_raft_snapshot_agent_config" @@ -163,6 +80,36 @@ func (tr *SnapshotAgentConfig) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this SnapshotAgentConfig +func (tr *SnapshotAgentConfig) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this SnapshotAgentConfig using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *SnapshotAgentConfig) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/raft/v1alpha1/zz_snapshotagentconfig_types.go b/apis/raft/v1alpha1/zz_snapshotagentconfig_types.go index f880da5f..63a7ff1d 100755 --- a/apis/raft/v1alpha1/zz_snapshotagentconfig_types.go +++ b/apis/raft/v1alpha1/zz_snapshotagentconfig_types.go @@ -464,9 +464,8 @@ type SnapshotAgentConfigParameters struct { type SnapshotAgentConfigSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SnapshotAgentConfigParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -485,21 +484,22 @@ type SnapshotAgentConfigStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SnapshotAgentConfig is the Schema for the SnapshotAgentConfigs API. Creates a Raft Snapshot Agent Configuration for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SnapshotAgentConfig struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.intervalSeconds) || has(self.initProvider.intervalSeconds)",message="intervalSeconds is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.pathPrefix) || has(self.initProvider.pathPrefix)",message="pathPrefix is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.storageType) || has(self.initProvider.storageType)",message="storageType is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.intervalSeconds) || (has(self.initProvider) && has(self.initProvider.intervalSeconds))",message="spec.forProvider.intervalSeconds is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.pathPrefix) || (has(self.initProvider) && has(self.initProvider.pathPrefix))",message="spec.forProvider.pathPrefix is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.storageType) || (has(self.initProvider) && has(self.initProvider.storageType))",message="spec.forProvider.storageType is a required parameter" Spec SnapshotAgentConfigSpec `json:"spec"` Status SnapshotAgentConfigStatus `json:"status,omitempty"` } diff --git a/apis/rgp/v1alpha1/zz_generated.conversion_hubs.go b/apis/rgp/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..8de3d5b0 --- /dev/null +++ b/apis/rgp/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Policy) Hub() {} diff --git a/apis/rgp/v1alpha1/zz_generated.deepcopy.go b/apis/rgp/v1alpha1/zz_generated.deepcopy.go index eb3f7c03..59d05b41 100644 --- a/apis/rgp/v1alpha1/zz_generated.deepcopy.go +++ b/apis/rgp/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. diff --git a/apis/rgp/v1alpha1/zz_generated.managed.go b/apis/rgp/v1alpha1/zz_generated.managed.go index a29e31ba..4bca39f2 100644 --- a/apis/rgp/v1alpha1/zz_generated.managed.go +++ b/apis/rgp/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Policy) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Policy. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Policy) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Policy. func (mg *Policy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Policy. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Policy) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Policy. func (mg *Policy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/rgp/v1alpha1/zz_generated_terraformed.go b/apis/rgp/v1alpha1/zz_policy_terraformed.go similarity index 69% rename from apis/rgp/v1alpha1/zz_generated_terraformed.go rename to apis/rgp/v1alpha1/zz_policy_terraformed.go index ae06c29e..680df681 100755 --- a/apis/rgp/v1alpha1/zz_generated_terraformed.go +++ b/apis/rgp/v1alpha1/zz_policy_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this Policy @@ -79,6 +80,36 @@ func (tr *Policy) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this Policy +func (tr *Policy) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this Policy using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *Policy) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/rgp/v1alpha1/zz_policy_types.go b/apis/rgp/v1alpha1/zz_policy_types.go index c809c082..2838864b 100755 --- a/apis/rgp/v1alpha1/zz_policy_types.go +++ b/apis/rgp/v1alpha1/zz_policy_types.go @@ -89,9 +89,8 @@ type PolicyParameters struct { type PolicySpec struct { v1.ResourceSpec `json:",inline"` ForProvider PolicyParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -110,20 +109,21 @@ type PolicyStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Policy is the Schema for the Policys API. Writes Sentinel role governing policies for Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Policy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.enforcementLevel) || has(self.initProvider.enforcementLevel)",message="enforcementLevel is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || has(self.initProvider.policy)",message="policy is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.enforcementLevel) || (has(self.initProvider) && has(self.initProvider.enforcementLevel))",message="spec.forProvider.enforcementLevel is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || (has(self.initProvider) && has(self.initProvider.policy))",message="spec.forProvider.policy is a required parameter" Spec PolicySpec `json:"spec"` Status PolicyStatus `json:"status,omitempty"` } diff --git a/apis/ssh/v1alpha1/zz_generated.conversion_hubs.go b/apis/ssh/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..763a69ac --- /dev/null +++ b/apis/ssh/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,13 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendCA) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendRole) Hub() {} diff --git a/apis/ssh/v1alpha1/zz_generated.deepcopy.go b/apis/ssh/v1alpha1/zz_generated.deepcopy.go index da88a3e9..edf1c156 100644 --- a/apis/ssh/v1alpha1/zz_generated.deepcopy.go +++ b/apis/ssh/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -142,16 +141,41 @@ func (in *SecretBackendCAInitParameters) DeepCopyInto(out *SecretBackendCAInitPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.GenerateSigningKey != nil { in, out := &in.GenerateSigningKey, &out.GenerateSigningKey *out = new(bool) **out = **in } + if in.KeyBits != nil { + in, out := &in.KeyBits, &out.KeyBits + *out = new(float64) + **out = **in + } + if in.KeyType != nil { + in, out := &in.KeyType, &out.KeyType + *out = new(string) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) **out = **in } + if in.PrivateKeySecretRef != nil { + in, out := &in.PrivateKeySecretRef, &out.PrivateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.PublicKey != nil { in, out := &in.PublicKey, &out.PublicKey *out = new(string) @@ -219,6 +243,16 @@ func (in *SecretBackendCAObservation) DeepCopyInto(out *SecretBackendCAObservati *out = new(string) **out = **in } + if in.KeyBits != nil { + in, out := &in.KeyBits, &out.KeyBits + *out = new(float64) + **out = **in + } + if in.KeyType != nil { + in, out := &in.KeyType, &out.KeyType + *out = new(string) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -249,11 +283,31 @@ func (in *SecretBackendCAParameters) DeepCopyInto(out *SecretBackendCAParameters *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.GenerateSigningKey != nil { in, out := &in.GenerateSigningKey, &out.GenerateSigningKey *out = new(bool) **out = **in } + if in.KeyBits != nil { + in, out := &in.KeyBits, &out.KeyBits + *out = new(float64) + **out = **in + } + if in.KeyType != nil { + in, out := &in.KeyType, &out.KeyType + *out = new(string) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -403,21 +457,6 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.AllowedUserKeyLengths != nil { - in, out := &in.AllowedUserKeyLengths, &out.AllowedUserKeyLengths - *out = make(map[string]*float64, len(*in)) - for key, val := range *in { - var outVal *float64 - if val == nil { - (*out)[key] = nil - } else { - in, out := &val, &outVal - *out = new(float64) - **out = **in - } - (*out)[key] = outVal - } - } if in.AllowedUsers != nil { in, out := &in.AllowedUsers, &out.AllowedUsers *out = new(string) @@ -433,6 +472,16 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CidrList != nil { in, out := &in.CidrList, &out.CidrList *out = new(string) @@ -446,7 +495,8 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -461,7 +511,8 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -617,21 +668,6 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.AllowedUserKeyLengths != nil { - in, out := &in.AllowedUserKeyLengths, &out.AllowedUserKeyLengths - *out = make(map[string]*float64, len(*in)) - for key, val := range *in { - var outVal *float64 - if val == nil { - (*out)[key] = nil - } else { - in, out := &val, &outVal - *out = new(float64) - **out = **in - } - (*out)[key] = outVal - } - } if in.AllowedUsers != nil { in, out := &in.AllowedUsers, &out.AllowedUsers *out = new(string) @@ -660,7 +696,8 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -675,7 +712,8 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -804,21 +842,6 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.AllowedUserKeyLengths != nil { - in, out := &in.AllowedUserKeyLengths, &out.AllowedUserKeyLengths - *out = make(map[string]*float64, len(*in)) - for key, val := range *in { - var outVal *float64 - if val == nil { - (*out)[key] = nil - } else { - in, out := &val, &outVal - *out = new(float64) - **out = **in - } - (*out)[key] = outVal - } - } if in.AllowedUsers != nil { in, out := &in.AllowedUsers, &out.AllowedUsers *out = new(string) @@ -834,6 +857,16 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.CidrList != nil { in, out := &in.CidrList, &out.CidrList *out = new(string) @@ -847,7 +880,8 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -862,7 +896,8 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } diff --git a/apis/ssh/v1alpha1/zz_generated.managed.go b/apis/ssh/v1alpha1/zz_generated.managed.go index b47698da..5e804e7c 100644 --- a/apis/ssh/v1alpha1/zz_generated.managed.go +++ b/apis/ssh/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *SecretBackendCA) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendCA. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendCA) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendCA. func (mg *SecretBackendCA) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *SecretBackendCA) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendCA. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendCA) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendCA. func (mg *SecretBackendCA) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *SecretBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *SecretBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendRole. func (mg *SecretBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/ssh/v1alpha1/zz_generated.resolvers.go b/apis/ssh/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..9024510e --- /dev/null +++ b/apis/ssh/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,99 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretBackendCA. +func (mg *SecretBackendCA) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this SecretBackendRole. +func (mg *SecretBackendRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/ssh/v1alpha1/zz_secretbackendca_terraformed.go b/apis/ssh/v1alpha1/zz_secretbackendca_terraformed.go new file mode 100755 index 00000000..89d0c812 --- /dev/null +++ b/apis/ssh/v1alpha1/zz_secretbackendca_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this SecretBackendCA +func (mg *SecretBackendCA) GetTerraformResourceType() string { + return "vault_ssh_secret_backend_ca" +} + +// GetConnectionDetailsMapping for this SecretBackendCA +func (tr *SecretBackendCA) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"private_key": "privateKeySecretRef"} +} + +// GetObservation of this SecretBackendCA +func (tr *SecretBackendCA) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this SecretBackendCA +func (tr *SecretBackendCA) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this SecretBackendCA +func (tr *SecretBackendCA) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this SecretBackendCA +func (tr *SecretBackendCA) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this SecretBackendCA +func (tr *SecretBackendCA) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this SecretBackendCA +func (tr *SecretBackendCA) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this SecretBackendCA +func (tr *SecretBackendCA) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this SecretBackendCA using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *SecretBackendCA) LateInitialize(attrs []byte) (bool, error) { + params := &SecretBackendCAParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *SecretBackendCA) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/ssh/v1alpha1/zz_secretbackendca_types.go b/apis/ssh/v1alpha1/zz_secretbackendca_types.go index 9336d73a..5baf9ac6 100755 --- a/apis/ssh/v1alpha1/zz_secretbackendca_types.go +++ b/apis/ssh/v1alpha1/zz_secretbackendca_types.go @@ -17,12 +17,30 @@ type SecretBackendCAInitParameters struct { // The path where the SSH secret backend is mounted. Defaults to 'ssh' // The path of the SSH Secret Backend where the CA should be configured + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Whether Vault should generate the signing key pair internally. Defaults to true // Whether Vault should generate the signing key pair internally. GenerateSigningKey *bool `json:"generateSigningKey,omitempty" tf:"generate_signing_key,omitempty"` + // Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`. + KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + + // Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`. + KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -30,6 +48,10 @@ type SecretBackendCAInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // The private key part the SSH CA key pair; required if generate_signing_key is false. + // Private key part the SSH CA key pair; required if generate_signing_key is false. + PrivateKeySecretRef *v1.SecretKeySelector `json:"privateKeySecretRef,omitempty" tf:"-"` + // The public key part the SSH CA key pair; required if generate_signing_key is false. // Public key part the SSH CA key pair; required if generate_signing_key is false. PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"` @@ -47,6 +69,14 @@ type SecretBackendCAObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`. + KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + + // Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`. + KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -63,14 +93,34 @@ type SecretBackendCAParameters struct { // The path where the SSH secret backend is mounted. Defaults to 'ssh' // The path of the SSH Secret Backend where the CA should be configured + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Whether Vault should generate the signing key pair internally. Defaults to true // Whether Vault should generate the signing key pair internally. // +kubebuilder:validation:Optional GenerateSigningKey *bool `json:"generateSigningKey,omitempty" tf:"generate_signing_key,omitempty"` + // Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`. + // +kubebuilder:validation:Optional + KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + + // Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`. + // +kubebuilder:validation:Optional + KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -94,9 +144,8 @@ type SecretBackendCAParameters struct { type SecretBackendCASpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendCAParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -115,13 +164,14 @@ type SecretBackendCAStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendCA is the Schema for the SecretBackendCAs API. Managing CA information in an SSH secret backend in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendCA struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/ssh/v1alpha1/zz_generated_terraformed.go b/apis/ssh/v1alpha1/zz_secretbackendrole_terraformed.go similarity index 51% rename from apis/ssh/v1alpha1/zz_generated_terraformed.go rename to apis/ssh/v1alpha1/zz_secretbackendrole_terraformed.go index a74c1eae..6fbdde79 100755 --- a/apis/ssh/v1alpha1/zz_generated_terraformed.go +++ b/apis/ssh/v1alpha1/zz_secretbackendrole_terraformed.go @@ -7,96 +7,13 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) -// GetTerraformResourceType returns Terraform resource type for this SecretBackendCA -func (mg *SecretBackendCA) GetTerraformResourceType() string { - return "vault_ssh_secret_backend_ca" -} - -// GetConnectionDetailsMapping for this SecretBackendCA -func (tr *SecretBackendCA) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"private_key": "spec.forProvider.privateKeySecretRef"} -} - -// GetObservation of this SecretBackendCA -func (tr *SecretBackendCA) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this SecretBackendCA -func (tr *SecretBackendCA) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this SecretBackendCA -func (tr *SecretBackendCA) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this SecretBackendCA -func (tr *SecretBackendCA) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this SecretBackendCA -func (tr *SecretBackendCA) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this SecretBackendCA -func (tr *SecretBackendCA) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this SecretBackendCA using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *SecretBackendCA) LateInitialize(attrs []byte) (bool, error) { - params := &SecretBackendCAParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *SecretBackendCA) GetTerraformSchemaVersion() int { - return 0 -} - // GetTerraformResourceType returns Terraform resource type for this SecretBackendRole func (mg *SecretBackendRole) GetTerraformResourceType() string { return "vault_ssh_secret_backend_role" @@ -163,6 +80,36 @@ func (tr *SecretBackendRole) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this SecretBackendRole +func (tr *SecretBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this SecretBackendRole using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *SecretBackendRole) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/ssh/v1alpha1/zz_secretbackendrole_types.go b/apis/ssh/v1alpha1/zz_secretbackendrole_types.go index 3245b47e..c4839a63 100755 --- a/apis/ssh/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/ssh/v1alpha1/zz_secretbackendrole_types.go @@ -57,7 +57,7 @@ type AllowedUserKeyConfigParameters struct { // must be set to a single element list. // List of allowed key lengths, vault-1.10 and above // +kubebuilder:validation:Optional - Lengths []*float64 `json:"lengths,omitempty" tf:"lengths,omitempty"` + Lengths []*float64 `json:"lengths" tf:"lengths,omitempty"` // The SSH public key type. // Supported key types are: @@ -66,7 +66,7 @@ type AllowedUserKeyConfigParameters struct { // Key type, choices: // rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 // +kubebuilder:validation:Optional - Type *string `json:"type,omitempty" tf:"type,omitempty"` + Type *string `json:"type" tf:"type,omitempty"` } type SecretBackendRoleInitParameters struct { @@ -108,11 +108,6 @@ type SecretBackendRoleInitParameters struct { // Set of allowed public key types and their relevant configuration AllowedUserKeyConfig []AllowedUserKeyConfigInitParameters `json:"allowedUserKeyConfig,omitempty" tf:"allowed_user_key_config,omitempty"` - // Specifies a map of ssh key types and their expected sizes which - // are allowed to be signed by the CA type. - // Deprecated: use allowed_user_key_config instead - AllowedUserKeyLengths map[string]*float64 `json:"allowedUserKeyLengths,omitempty" tf:"allowed_user_key_lengths,omitempty"` - // Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. AllowedUsers *string `json:"allowedUsers,omitempty" tf:"allowed_users,omitempty"` @@ -120,15 +115,27 @@ type SecretBackendRoleInitParameters struct { AllowedUsersTemplate *bool `json:"allowedUsersTemplate,omitempty" tf:"allowed_users_template,omitempty"` // The path where the SSH secret backend is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The comma-separated string of CIDR blocks for which this role is applicable. CidrList *string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"` // Specifies a map of critical options that certificates have when signed. + // +mapType=granular DefaultCriticalOptions map[string]*string `json:"defaultCriticalOptions,omitempty" tf:"default_critical_options,omitempty"` // Specifies a map of extensions that certificates have when signed. + // +mapType=granular DefaultExtensions map[string]*string `json:"defaultExtensions,omitempty" tf:"default_extensions,omitempty"` // Specifies the default username for which a credential will be generated. @@ -205,11 +212,6 @@ type SecretBackendRoleObservation struct { // Set of allowed public key types and their relevant configuration AllowedUserKeyConfig []AllowedUserKeyConfigObservation `json:"allowedUserKeyConfig,omitempty" tf:"allowed_user_key_config,omitempty"` - // Specifies a map of ssh key types and their expected sizes which - // are allowed to be signed by the CA type. - // Deprecated: use allowed_user_key_config instead - AllowedUserKeyLengths map[string]*float64 `json:"allowedUserKeyLengths,omitempty" tf:"allowed_user_key_lengths,omitempty"` - // Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. AllowedUsers *string `json:"allowedUsers,omitempty" tf:"allowed_users,omitempty"` @@ -223,9 +225,11 @@ type SecretBackendRoleObservation struct { CidrList *string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"` // Specifies a map of critical options that certificates have when signed. + // +mapType=granular DefaultCriticalOptions map[string]*string `json:"defaultCriticalOptions,omitempty" tf:"default_critical_options,omitempty"` // Specifies a map of extensions that certificates have when signed. + // +mapType=granular DefaultExtensions map[string]*string `json:"defaultExtensions,omitempty" tf:"default_extensions,omitempty"` // Specifies the default username for which a credential will be generated. @@ -315,12 +319,6 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional AllowedUserKeyConfig []AllowedUserKeyConfigParameters `json:"allowedUserKeyConfig,omitempty" tf:"allowed_user_key_config,omitempty"` - // Specifies a map of ssh key types and their expected sizes which - // are allowed to be signed by the CA type. - // Deprecated: use allowed_user_key_config instead - // +kubebuilder:validation:Optional - AllowedUserKeyLengths map[string]*float64 `json:"allowedUserKeyLengths,omitempty" tf:"allowed_user_key_lengths,omitempty"` - // Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. // +kubebuilder:validation:Optional AllowedUsers *string `json:"allowedUsers,omitempty" tf:"allowed_users,omitempty"` @@ -330,19 +328,31 @@ type SecretBackendRoleParameters struct { AllowedUsersTemplate *bool `json:"allowedUsersTemplate,omitempty" tf:"allowed_users_template,omitempty"` // The path where the SSH secret backend is mounted. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The comma-separated string of CIDR blocks for which this role is applicable. // +kubebuilder:validation:Optional CidrList *string `json:"cidrList,omitempty" tf:"cidr_list,omitempty"` // Specifies a map of critical options that certificates have when signed. // +kubebuilder:validation:Optional + // +mapType=granular DefaultCriticalOptions map[string]*string `json:"defaultCriticalOptions,omitempty" tf:"default_critical_options,omitempty"` // Specifies a map of extensions that certificates have when signed. // +kubebuilder:validation:Optional + // +mapType=granular DefaultExtensions map[string]*string `json:"defaultExtensions,omitempty" tf:"default_extensions,omitempty"` // Specifies the default username for which a credential will be generated. @@ -393,9 +403,8 @@ type SecretBackendRoleParameters struct { type SecretBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -414,20 +423,20 @@ type SecretBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendRole is the Schema for the SecretBackendRoles API. Managing roles in an SSH secret backend in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.keyType) || has(self.initProvider.keyType)",message="keyType is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.keyType) || (has(self.initProvider) && has(self.initProvider.keyType))",message="spec.forProvider.keyType is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec SecretBackendRoleSpec `json:"spec"` Status SecretBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/terraform/v1alpha1/zz_cloudsecretbackend_terraformed.go b/apis/terraform/v1alpha1/zz_cloudsecretbackend_terraformed.go new file mode 100755 index 00000000..2b198a50 --- /dev/null +++ b/apis/terraform/v1alpha1/zz_cloudsecretbackend_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this CloudSecretBackend +func (mg *CloudSecretBackend) GetTerraformResourceType() string { + return "vault_terraform_cloud_secret_backend" +} + +// GetConnectionDetailsMapping for this CloudSecretBackend +func (tr *CloudSecretBackend) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"token": "tokenSecretRef"} +} + +// GetObservation of this CloudSecretBackend +func (tr *CloudSecretBackend) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this CloudSecretBackend +func (tr *CloudSecretBackend) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this CloudSecretBackend +func (tr *CloudSecretBackend) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this CloudSecretBackend +func (tr *CloudSecretBackend) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this CloudSecretBackend +func (tr *CloudSecretBackend) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this CloudSecretBackend +func (tr *CloudSecretBackend) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this CloudSecretBackend +func (tr *CloudSecretBackend) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this CloudSecretBackend using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *CloudSecretBackend) LateInitialize(attrs []byte) (bool, error) { + params := &CloudSecretBackendParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *CloudSecretBackend) GetTerraformSchemaVersion() int { + return 1 +} diff --git a/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go b/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go index 4f021105..31d1f4f8 100755 --- a/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go +++ b/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go @@ -15,7 +15,8 @@ import ( type CloudSecretBackendInitParameters struct { - // 0.0.1:8500". + // The default is + // https://app.0.0.1:8500". Address *string `json:"address,omitempty" tf:"address,omitempty"` // The unique location this backend should be mounted at. Must not begin or end with a / @@ -47,11 +48,14 @@ type CloudSecretBackendInitParameters struct { // Available only for Vault Enterprise. // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + + TokenSecretRef *v1.SecretKeySelector `json:"tokenSecretRef,omitempty" tf:"-"` } type CloudSecretBackendObservation struct { - // 0.0.1:8500". + // The default is + // https://app.0.0.1:8500". Address *string `json:"address,omitempty" tf:"address,omitempty"` // The unique location this backend should be mounted at. Must not begin or end with a / @@ -89,7 +93,8 @@ type CloudSecretBackendObservation struct { type CloudSecretBackendParameters struct { - // 0.0.1:8500". + // The default is + // https://app.0.0.1:8500". // +kubebuilder:validation:Optional Address *string `json:"address,omitempty" tf:"address,omitempty"` @@ -138,9 +143,8 @@ type CloudSecretBackendParameters struct { type CloudSecretBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider CloudSecretBackendParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -159,13 +163,14 @@ type CloudSecretBackendStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // CloudSecretBackend is the Schema for the CloudSecretBackends API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type CloudSecretBackend struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/terraform/v1alpha1/zz_cloudsecretcreds_terraformed.go b/apis/terraform/v1alpha1/zz_cloudsecretcreds_terraformed.go new file mode 100755 index 00000000..0e82544c --- /dev/null +++ b/apis/terraform/v1alpha1/zz_cloudsecretcreds_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this CloudSecretCreds +func (mg *CloudSecretCreds) GetTerraformResourceType() string { + return "vault_terraform_cloud_secret_creds" +} + +// GetConnectionDetailsMapping for this CloudSecretCreds +func (tr *CloudSecretCreds) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"lease_id": "status.atProvider.leaseId", "token": "status.atProvider.token"} +} + +// GetObservation of this CloudSecretCreds +func (tr *CloudSecretCreds) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this CloudSecretCreds +func (tr *CloudSecretCreds) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this CloudSecretCreds +func (tr *CloudSecretCreds) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this CloudSecretCreds +func (tr *CloudSecretCreds) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this CloudSecretCreds +func (tr *CloudSecretCreds) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this CloudSecretCreds +func (tr *CloudSecretCreds) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this CloudSecretCreds +func (tr *CloudSecretCreds) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this CloudSecretCreds using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *CloudSecretCreds) LateInitialize(attrs []byte) (bool, error) { + params := &CloudSecretCredsParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *CloudSecretCreds) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/terraform/v1alpha1/zz_cloudsecretcreds_types.go b/apis/terraform/v1alpha1/zz_cloudsecretcreds_types.go index e78ea983..1850b3b5 100755 --- a/apis/terraform/v1alpha1/zz_cloudsecretcreds_types.go +++ b/apis/terraform/v1alpha1/zz_cloudsecretcreds_types.go @@ -15,11 +15,21 @@ import ( type CloudSecretCredsInitParameters struct { - // the path to the Upbound official provider cloud secret backend to + // the path to the provider cloud secret backend to // read credentials from, with no leading or trailing /s. - // Upbound official provider cloud secret backend to generate tokens from + // provider cloud secret backend to generate tokens from + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/terraform/v1alpha1.CloudSecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("backend",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a CloudSecretBackend in terraform to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a CloudSecretBackend in terraform to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -28,14 +38,24 @@ type CloudSecretCredsInitParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // Name of the role. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/terraform/v1alpha1.CloudSecretRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) Role *string `json:"role,omitempty" tf:"role,omitempty"` + + // Reference to a CloudSecretRole in terraform to populate role. + // +kubebuilder:validation:Optional + RoleRef *v1.Reference `json:"roleRef,omitempty" tf:"-"` + + // Selector for a CloudSecretRole in terraform to populate role. + // +kubebuilder:validation:Optional + RoleSelector *v1.Selector `json:"roleSelector,omitempty" tf:"-"` } type CloudSecretCredsObservation struct { - // the path to the Upbound official provider cloud secret backend to + // the path to the provider cloud secret backend to // read credentials from, with no leading or trailing /s. - // Upbound official provider cloud secret backend to generate tokens from + // provider cloud secret backend to generate tokens from Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -63,12 +83,22 @@ type CloudSecretCredsObservation struct { type CloudSecretCredsParameters struct { - // the path to the Upbound official provider cloud secret backend to + // the path to the provider cloud secret backend to // read credentials from, with no leading or trailing /s. - // Upbound official provider cloud secret backend to generate tokens from + // provider cloud secret backend to generate tokens from + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/terraform/v1alpha1.CloudSecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("backend",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a CloudSecretBackend in terraform to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a CloudSecretBackend in terraform to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -78,17 +108,26 @@ type CloudSecretCredsParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // Name of the role. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/terraform/v1alpha1.CloudSecretRole + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",false) // +kubebuilder:validation:Optional Role *string `json:"role,omitempty" tf:"role,omitempty"` + + // Reference to a CloudSecretRole in terraform to populate role. + // +kubebuilder:validation:Optional + RoleRef *v1.Reference `json:"roleRef,omitempty" tf:"-"` + + // Selector for a CloudSecretRole in terraform to populate role. + // +kubebuilder:validation:Optional + RoleSelector *v1.Selector `json:"roleSelector,omitempty" tf:"-"` } // CloudSecretCredsSpec defines the desired state of CloudSecretCreds type CloudSecretCredsSpec struct { v1.ResourceSpec `json:",inline"` ForProvider CloudSecretCredsParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -107,21 +146,20 @@ type CloudSecretCredsStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // CloudSecretCreds is the Schema for the CloudSecretCredss API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type CloudSecretCreds struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.role) || has(self.initProvider.role)",message="role is a required parameter" - Spec CloudSecretCredsSpec `json:"spec"` - Status CloudSecretCredsStatus `json:"status,omitempty"` + Spec CloudSecretCredsSpec `json:"spec"` + Status CloudSecretCredsStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/terraform/v1alpha1/zz_cloudsecretrole_terraformed.go b/apis/terraform/v1alpha1/zz_cloudsecretrole_terraformed.go new file mode 100755 index 00000000..9ab1edb2 --- /dev/null +++ b/apis/terraform/v1alpha1/zz_cloudsecretrole_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this CloudSecretRole +func (mg *CloudSecretRole) GetTerraformResourceType() string { + return "vault_terraform_cloud_secret_role" +} + +// GetConnectionDetailsMapping for this CloudSecretRole +func (tr *CloudSecretRole) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this CloudSecretRole +func (tr *CloudSecretRole) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this CloudSecretRole +func (tr *CloudSecretRole) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this CloudSecretRole +func (tr *CloudSecretRole) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this CloudSecretRole +func (tr *CloudSecretRole) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this CloudSecretRole +func (tr *CloudSecretRole) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this CloudSecretRole +func (tr *CloudSecretRole) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this CloudSecretRole +func (tr *CloudSecretRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this CloudSecretRole using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *CloudSecretRole) LateInitialize(attrs []byte) (bool, error) { + params := &CloudSecretRoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *CloudSecretRole) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/terraform/v1alpha1/zz_cloudsecretrole_types.go b/apis/terraform/v1alpha1/zz_cloudsecretrole_types.go index ecac491a..3fc04fb4 100755 --- a/apis/terraform/v1alpha1/zz_cloudsecretrole_types.go +++ b/apis/terraform/v1alpha1/zz_cloudsecretrole_types.go @@ -16,14 +16,24 @@ import ( type CloudSecretRoleInitParameters struct { // Must not begin or end with a /. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/terraform/v1alpha1.CloudSecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("backend",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a CloudSecretBackend in terraform to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a CloudSecretBackend in terraform to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Maximum TTL for leases associated with this role, in seconds. // Maximum allowed lease for generated credentials. If not set or set to 0, will use system default. MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"` - // the name of the Upbound official provider cloud secrets engine role to create. - // the name of an existing role against which to create this Upbound official provider cloud credential + // the name of the provider cloud secrets engine role to create. + // the name of an existing role against which to create this provider cloud credential Name *string `json:"name,omitempty" tf:"name,omitempty"` // The namespace to provision the resource in. @@ -33,8 +43,8 @@ type CloudSecretRoleInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // the organization name managing your Upbound official provider cloud instance. - // name of the Upbound official provider cloud or enterprise organization + // the organization name managing your provider cloud instance. + // name of the provider cloud or enterprise organization Organization *string `json:"organization,omitempty" tf:"organization,omitempty"` // Specifies the TTL for this role. @@ -59,8 +69,8 @@ type CloudSecretRoleObservation struct { // Maximum allowed lease for generated credentials. If not set or set to 0, will use system default. MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"` - // the name of the Upbound official provider cloud secrets engine role to create. - // the name of an existing role against which to create this Upbound official provider cloud credential + // the name of the provider cloud secrets engine role to create. + // the name of an existing role against which to create this provider cloud credential Name *string `json:"name,omitempty" tf:"name,omitempty"` // The namespace to provision the resource in. @@ -70,8 +80,8 @@ type CloudSecretRoleObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // the organization name managing your Upbound official provider cloud instance. - // name of the Upbound official provider cloud or enterprise organization + // the organization name managing your provider cloud instance. + // name of the provider cloud or enterprise organization Organization *string `json:"organization,omitempty" tf:"organization,omitempty"` // Specifies the TTL for this role. @@ -88,16 +98,26 @@ type CloudSecretRoleObservation struct { type CloudSecretRoleParameters struct { // Must not begin or end with a /. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/terraform/v1alpha1.CloudSecretBackend + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("backend",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a CloudSecretBackend in terraform to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a CloudSecretBackend in terraform to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Maximum TTL for leases associated with this role, in seconds. // Maximum allowed lease for generated credentials. If not set or set to 0, will use system default. // +kubebuilder:validation:Optional MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"` - // the name of the Upbound official provider cloud secrets engine role to create. - // the name of an existing role against which to create this Upbound official provider cloud credential + // the name of the provider cloud secrets engine role to create. + // the name of an existing role against which to create this provider cloud credential // +kubebuilder:validation:Optional Name *string `json:"name,omitempty" tf:"name,omitempty"` @@ -109,8 +129,8 @@ type CloudSecretRoleParameters struct { // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // the organization name managing your Upbound official provider cloud instance. - // name of the Upbound official provider cloud or enterprise organization + // the organization name managing your provider cloud instance. + // name of the provider cloud or enterprise organization // +kubebuilder:validation:Optional Organization *string `json:"organization,omitempty" tf:"organization,omitempty"` @@ -132,9 +152,8 @@ type CloudSecretRoleParameters struct { type CloudSecretRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider CloudSecretRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -153,18 +172,19 @@ type CloudSecretRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // CloudSecretRole is the Schema for the CloudSecretRoles API. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type CloudSecretRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec CloudSecretRoleSpec `json:"spec"` Status CloudSecretRoleStatus `json:"status,omitempty"` } diff --git a/apis/terraform/v1alpha1/zz_generated.conversion_hubs.go b/apis/terraform/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..a8836af3 --- /dev/null +++ b/apis/terraform/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,16 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *CloudSecretBackend) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *CloudSecretCreds) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *CloudSecretRole) Hub() {} diff --git a/apis/terraform/v1alpha1/zz_generated.deepcopy.go b/apis/terraform/v1alpha1/zz_generated.deepcopy.go index 7dbf8efe..f5180870 100644 --- a/apis/terraform/v1alpha1/zz_generated.deepcopy.go +++ b/apis/terraform/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -84,6 +83,11 @@ func (in *CloudSecretBackendInitParameters) DeepCopyInto(out *CloudSecretBackend *out = new(string) **out = **in } + if in.TokenSecretRef != nil { + in, out := &in.TokenSecretRef, &out.TokenSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudSecretBackendInitParameters. @@ -318,6 +322,16 @@ func (in *CloudSecretCredsInitParameters) DeepCopyInto(out *CloudSecretCredsInit *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -328,6 +342,16 @@ func (in *CloudSecretCredsInitParameters) DeepCopyInto(out *CloudSecretCredsInit *out = new(string) **out = **in } + if in.RoleRef != nil { + in, out := &in.RoleRef, &out.RoleRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleSelector != nil { + in, out := &in.RoleSelector, &out.RoleSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudSecretCredsInitParameters. @@ -430,6 +454,16 @@ func (in *CloudSecretCredsParameters) DeepCopyInto(out *CloudSecretCredsParamete *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -440,6 +474,16 @@ func (in *CloudSecretCredsParameters) DeepCopyInto(out *CloudSecretCredsParamete *out = new(string) **out = **in } + if in.RoleRef != nil { + in, out := &in.RoleRef, &out.RoleRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RoleSelector != nil { + in, out := &in.RoleSelector, &out.RoleSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudSecretCredsParameters. @@ -522,6 +566,16 @@ func (in *CloudSecretRoleInitParameters) DeepCopyInto(out *CloudSecretRoleInitPa *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.MaxTTL != nil { in, out := &in.MaxTTL, &out.MaxTTL *out = new(float64) @@ -669,6 +723,16 @@ func (in *CloudSecretRoleParameters) DeepCopyInto(out *CloudSecretRoleParameters *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.MaxTTL != nil { in, out := &in.MaxTTL, &out.MaxTTL *out = new(float64) diff --git a/apis/terraform/v1alpha1/zz_generated.managed.go b/apis/terraform/v1alpha1/zz_generated.managed.go index 7d8e2ab2..1e20893f 100644 --- a/apis/terraform/v1alpha1/zz_generated.managed.go +++ b/apis/terraform/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *CloudSecretBackend) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this CloudSecretBackend. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *CloudSecretBackend) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this CloudSecretBackend. func (mg *CloudSecretBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *CloudSecretBackend) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this CloudSecretBackend. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *CloudSecretBackend) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this CloudSecretBackend. func (mg *CloudSecretBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *CloudSecretCreds) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this CloudSecretCreds. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *CloudSecretCreds) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this CloudSecretCreds. func (mg *CloudSecretCreds) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *CloudSecretCreds) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this CloudSecretCreds. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *CloudSecretCreds) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this CloudSecretCreds. func (mg *CloudSecretCreds) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *CloudSecretRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this CloudSecretRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *CloudSecretRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this CloudSecretRole. func (mg *CloudSecretRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *CloudSecretRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this CloudSecretRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *CloudSecretRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this CloudSecretRole. func (mg *CloudSecretRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/terraform/v1alpha1/zz_generated.resolvers.go b/apis/terraform/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..d9152adb --- /dev/null +++ b/apis/terraform/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,130 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this CloudSecretCreds. +func (mg *CloudSecretCreds) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("backend", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &CloudSecretBackendList{}, + Managed: &CloudSecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Role), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.ForProvider.RoleRef, + Selector: mg.Spec.ForProvider.RoleSelector, + To: reference.To{ + List: &CloudSecretRoleList{}, + Managed: &CloudSecretRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Role") + } + mg.Spec.ForProvider.Role = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.RoleRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("backend", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &CloudSecretBackendList{}, + Managed: &CloudSecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Role), + Extract: resource.ExtractParamPath("name", false), + Reference: mg.Spec.InitProvider.RoleRef, + Selector: mg.Spec.InitProvider.RoleSelector, + To: reference.To{ + List: &CloudSecretRoleList{}, + Managed: &CloudSecretRole{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Role") + } + mg.Spec.InitProvider.Role = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.RoleRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this CloudSecretRole. +func (mg *CloudSecretRole) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("backend", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &CloudSecretBackendList{}, + Managed: &CloudSecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("backend", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &CloudSecretBackendList{}, + Managed: &CloudSecretBackend{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/terraform/v1alpha1/zz_generated_terraformed.go b/apis/terraform/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index e0332b9f..00000000 --- a/apis/terraform/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,266 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this CloudSecretBackend -func (mg *CloudSecretBackend) GetTerraformResourceType() string { - return "vault_terraform_cloud_secret_backend" -} - -// GetConnectionDetailsMapping for this CloudSecretBackend -func (tr *CloudSecretBackend) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"token": "spec.forProvider.tokenSecretRef"} -} - -// GetObservation of this CloudSecretBackend -func (tr *CloudSecretBackend) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this CloudSecretBackend -func (tr *CloudSecretBackend) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this CloudSecretBackend -func (tr *CloudSecretBackend) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this CloudSecretBackend -func (tr *CloudSecretBackend) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this CloudSecretBackend -func (tr *CloudSecretBackend) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this CloudSecretBackend -func (tr *CloudSecretBackend) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this CloudSecretBackend using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *CloudSecretBackend) LateInitialize(attrs []byte) (bool, error) { - params := &CloudSecretBackendParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *CloudSecretBackend) GetTerraformSchemaVersion() int { - return 1 -} - -// GetTerraformResourceType returns Terraform resource type for this CloudSecretCreds -func (mg *CloudSecretCreds) GetTerraformResourceType() string { - return "vault_terraform_cloud_secret_creds" -} - -// GetConnectionDetailsMapping for this CloudSecretCreds -func (tr *CloudSecretCreds) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"lease_id": "status.atProvider.leaseId", "token": "status.atProvider.token"} -} - -// GetObservation of this CloudSecretCreds -func (tr *CloudSecretCreds) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this CloudSecretCreds -func (tr *CloudSecretCreds) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this CloudSecretCreds -func (tr *CloudSecretCreds) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this CloudSecretCreds -func (tr *CloudSecretCreds) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this CloudSecretCreds -func (tr *CloudSecretCreds) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this CloudSecretCreds -func (tr *CloudSecretCreds) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this CloudSecretCreds using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *CloudSecretCreds) LateInitialize(attrs []byte) (bool, error) { - params := &CloudSecretCredsParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *CloudSecretCreds) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this CloudSecretRole -func (mg *CloudSecretRole) GetTerraformResourceType() string { - return "vault_terraform_cloud_secret_role" -} - -// GetConnectionDetailsMapping for this CloudSecretRole -func (tr *CloudSecretRole) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this CloudSecretRole -func (tr *CloudSecretRole) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this CloudSecretRole -func (tr *CloudSecretRole) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this CloudSecretRole -func (tr *CloudSecretRole) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this CloudSecretRole -func (tr *CloudSecretRole) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this CloudSecretRole -func (tr *CloudSecretRole) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this CloudSecretRole -func (tr *CloudSecretRole) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this CloudSecretRole using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *CloudSecretRole) LateInitialize(attrs []byte) (bool, error) { - params := &CloudSecretRoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *CloudSecretRole) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/token/v1alpha1/zz_generated_terraformed.go b/apis/token/v1alpha1/zz_authbackendrole_terraformed.go similarity index 70% rename from apis/token/v1alpha1/zz_generated_terraformed.go rename to apis/token/v1alpha1/zz_authbackendrole_terraformed.go index 87c9ba69..383f1a88 100755 --- a/apis/token/v1alpha1/zz_generated_terraformed.go +++ b/apis/token/v1alpha1/zz_authbackendrole_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this AuthBackendRole @@ -79,6 +80,36 @@ func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this AuthBackendRole +func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this AuthBackendRole using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/token/v1alpha1/zz_authbackendrole_types.go b/apis/token/v1alpha1/zz_authbackendrole_types.go index d069ddab..30b44f33 100755 --- a/apis/token/v1alpha1/zz_authbackendrole_types.go +++ b/apis/token/v1alpha1/zz_authbackendrole_types.go @@ -17,22 +17,27 @@ type AuthBackendRoleInitParameters struct { // List of allowed entity aliases. // Set of allowed entity aliases for this role. + // +listType=set AllowedEntityAliases []*string `json:"allowedEntityAliases,omitempty" tf:"allowed_entity_aliases,omitempty"` // List of allowed policies for given role. // List of allowed policies for given role. + // +listType=set AllowedPolicies []*string `json:"allowedPolicies,omitempty" tf:"allowed_policies,omitempty"` // Set of allowed policies with glob match for given role. // Set of allowed policies with glob match for given role. + // +listType=set AllowedPoliciesGlob []*string `json:"allowedPoliciesGlob,omitempty" tf:"allowed_policies_glob,omitempty"` // List of disallowed policies for given role. // List of disallowed policies for given role. + // +listType=set DisallowedPolicies []*string `json:"disallowedPolicies,omitempty" tf:"disallowed_policies,omitempty"` // Set of disallowed policies with glob match for given role. // Set of disallowed policies with glob match for given role. + // +listType=set DisallowedPoliciesGlob []*string `json:"disallowedPoliciesGlob,omitempty" tf:"disallowed_policies_glob,omitempty"` // The namespace to provision the resource in. @@ -62,6 +67,7 @@ type AuthBackendRoleInitParameters struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -94,6 +100,7 @@ type AuthBackendRoleInitParameters struct { TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -114,22 +121,27 @@ type AuthBackendRoleObservation struct { // List of allowed entity aliases. // Set of allowed entity aliases for this role. + // +listType=set AllowedEntityAliases []*string `json:"allowedEntityAliases,omitempty" tf:"allowed_entity_aliases,omitempty"` // List of allowed policies for given role. // List of allowed policies for given role. + // +listType=set AllowedPolicies []*string `json:"allowedPolicies,omitempty" tf:"allowed_policies,omitempty"` // Set of allowed policies with glob match for given role. // Set of allowed policies with glob match for given role. + // +listType=set AllowedPoliciesGlob []*string `json:"allowedPoliciesGlob,omitempty" tf:"allowed_policies_glob,omitempty"` // List of disallowed policies for given role. // List of disallowed policies for given role. + // +listType=set DisallowedPolicies []*string `json:"disallowedPolicies,omitempty" tf:"disallowed_policies,omitempty"` // Set of disallowed policies with glob match for given role. // Set of disallowed policies with glob match for given role. + // +listType=set DisallowedPoliciesGlob []*string `json:"disallowedPoliciesGlob,omitempty" tf:"disallowed_policies_glob,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -161,6 +173,7 @@ type AuthBackendRoleObservation struct { // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -193,6 +206,7 @@ type AuthBackendRoleObservation struct { TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` // Generated Token's Policies + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -214,26 +228,31 @@ type AuthBackendRoleParameters struct { // List of allowed entity aliases. // Set of allowed entity aliases for this role. // +kubebuilder:validation:Optional + // +listType=set AllowedEntityAliases []*string `json:"allowedEntityAliases,omitempty" tf:"allowed_entity_aliases,omitempty"` // List of allowed policies for given role. // List of allowed policies for given role. // +kubebuilder:validation:Optional + // +listType=set AllowedPolicies []*string `json:"allowedPolicies,omitempty" tf:"allowed_policies,omitempty"` // Set of allowed policies with glob match for given role. // Set of allowed policies with glob match for given role. // +kubebuilder:validation:Optional + // +listType=set AllowedPoliciesGlob []*string `json:"allowedPoliciesGlob,omitempty" tf:"allowed_policies_glob,omitempty"` // List of disallowed policies for given role. // List of disallowed policies for given role. // +kubebuilder:validation:Optional + // +listType=set DisallowedPolicies []*string `json:"disallowedPolicies,omitempty" tf:"disallowed_policies,omitempty"` // Set of disallowed policies with glob match for given role. // Set of disallowed policies with glob match for given role. // +kubebuilder:validation:Optional + // +listType=set DisallowedPoliciesGlob []*string `json:"disallowedPoliciesGlob,omitempty" tf:"disallowed_policies_glob,omitempty"` // The namespace to provision the resource in. @@ -269,6 +288,7 @@ type AuthBackendRoleParameters struct { // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional + // +listType=set TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an @@ -307,6 +327,7 @@ type AuthBackendRoleParameters struct { // Generated Token's Policies // +kubebuilder:validation:Optional + // +listType=set TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. @@ -329,9 +350,8 @@ type AuthBackendRoleParameters struct { type AuthBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -350,18 +370,19 @@ type AuthBackendRoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // AuthBackendRole is the Schema for the AuthBackendRoles API. Manages Token auth backend roles in Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type AuthBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || (has(self.initProvider) && has(self.initProvider.roleName))",message="spec.forProvider.roleName is a required parameter" Spec AuthBackendRoleSpec `json:"spec"` Status AuthBackendRoleStatus `json:"status,omitempty"` } diff --git a/apis/token/v1alpha1/zz_generated.conversion_hubs.go b/apis/token/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..ee678741 --- /dev/null +++ b/apis/token/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *AuthBackendRole) Hub() {} diff --git a/apis/token/v1alpha1/zz_generated.deepcopy.go b/apis/token/v1alpha1/zz_generated.deepcopy.go index 2704388b..d5cd407e 100644 --- a/apis/token/v1alpha1/zz_generated.deepcopy.go +++ b/apis/token/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. diff --git a/apis/token/v1alpha1/zz_generated.managed.go b/apis/token/v1alpha1/zz_generated.managed.go index 836c358b..e2e30b5e 100644 --- a/apis/token/v1alpha1/zz_generated.managed.go +++ b/apis/token/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this AuthBackendRole. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this AuthBackendRole. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this AuthBackendRole. func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/transform/v1alpha1/zz_alphabet_terraformed.go b/apis/transform/v1alpha1/zz_alphabet_terraformed.go new file mode 100755 index 00000000..30420087 --- /dev/null +++ b/apis/transform/v1alpha1/zz_alphabet_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Alphabet +func (mg *Alphabet) GetTerraformResourceType() string { + return "vault_transform_alphabet" +} + +// GetConnectionDetailsMapping for this Alphabet +func (tr *Alphabet) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Alphabet +func (tr *Alphabet) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Alphabet +func (tr *Alphabet) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Alphabet +func (tr *Alphabet) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Alphabet +func (tr *Alphabet) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Alphabet +func (tr *Alphabet) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Alphabet +func (tr *Alphabet) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Alphabet +func (tr *Alphabet) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Alphabet using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Alphabet) LateInitialize(attrs []byte) (bool, error) { + params := &AlphabetParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Alphabet) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/transform/v1alpha1/zz_alphabet_types.go b/apis/transform/v1alpha1/zz_alphabet_types.go index 9eb7bad3..4b80c8fd 100755 --- a/apis/transform/v1alpha1/zz_alphabet_types.go +++ b/apis/transform/v1alpha1/zz_alphabet_types.go @@ -32,7 +32,17 @@ type AlphabetInitParameters struct { // Path to where the back-end is mounted within Vault. // The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // Reference to a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` } type AlphabetObservation struct { @@ -81,17 +91,26 @@ type AlphabetParameters struct { // Path to where the back-end is mounted within Vault. // The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // Reference to a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` } // AlphabetSpec defines the desired state of Alphabet type AlphabetSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AlphabetParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -110,19 +129,19 @@ type AlphabetStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Alphabet is the Schema for the Alphabets API. "/transform/alphabet/{name}" -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Alphabet struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec AlphabetSpec `json:"spec"` Status AlphabetStatus `json:"status,omitempty"` } diff --git a/apis/transform/v1alpha1/zz_generated.conversion_hubs.go b/apis/transform/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..de54b296 --- /dev/null +++ b/apis/transform/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,19 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Alphabet) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Role) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Template) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Transformation) Hub() {} diff --git a/apis/transform/v1alpha1/zz_generated.deepcopy.go b/apis/transform/v1alpha1/zz_generated.deepcopy.go index 3950a775..980c5f55 100644 --- a/apis/transform/v1alpha1/zz_generated.deepcopy.go +++ b/apis/transform/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -63,6 +63,16 @@ func (in *AlphabetInitParameters) DeepCopyInto(out *AlphabetInitParameters) { *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlphabetInitParameters. @@ -170,6 +180,16 @@ func (in *AlphabetParameters) DeepCopyInto(out *AlphabetParameters) { *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlphabetParameters. @@ -262,6 +282,16 @@ func (in *RoleInitParameters) DeepCopyInto(out *RoleInitParameters) { *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Transformations != nil { in, out := &in.Transformations, &out.Transformations *out = make([]*string, len(*in)) @@ -381,6 +411,16 @@ func (in *RoleParameters) DeepCopyInto(out *RoleParameters) { *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Transformations != nil { in, out := &in.Transformations, &out.Transformations *out = make([]*string, len(*in)) @@ -482,7 +522,8 @@ func (in *TemplateInitParameters) DeepCopyInto(out *TemplateInitParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -509,6 +550,16 @@ func (in *TemplateInitParameters) DeepCopyInto(out *TemplateInitParameters) { *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Pattern != nil { in, out := &in.Pattern, &out.Pattern *out = new(string) @@ -579,7 +630,8 @@ func (in *TemplateObservation) DeepCopyInto(out *TemplateObservation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -649,7 +701,8 @@ func (in *TemplateParameters) DeepCopyInto(out *TemplateParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -676,6 +729,16 @@ func (in *TemplateParameters) DeepCopyInto(out *TemplateParameters) { *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Pattern != nil { in, out := &in.Pattern, &out.Pattern *out = new(string) @@ -799,6 +862,16 @@ func (in *TransformationInitParameters) DeepCopyInto(out *TransformationInitPara *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Template != nil { in, out := &in.Template, &out.Template *out = new(string) @@ -990,6 +1063,16 @@ func (in *TransformationParameters) DeepCopyInto(out *TransformationParameters) *out = new(string) **out = **in } + if in.PathRef != nil { + in, out := &in.PathRef, &out.PathRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.PathSelector != nil { + in, out := &in.PathSelector, &out.PathSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Template != nil { in, out := &in.Template, &out.Template *out = new(string) diff --git a/apis/transform/v1alpha1/zz_generated.managed.go b/apis/transform/v1alpha1/zz_generated.managed.go index fc7369b7..6661bde0 100644 --- a/apis/transform/v1alpha1/zz_generated.managed.go +++ b/apis/transform/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Alphabet) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Alphabet. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Alphabet) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Alphabet. func (mg *Alphabet) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Alphabet) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Alphabet. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Alphabet) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Alphabet. func (mg *Alphabet) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *Role) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Role. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Role) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Role. func (mg *Role) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *Role) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Role. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Role) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Role. func (mg *Role) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *Template) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Template. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Template) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Template. func (mg *Template) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *Template) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Template. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Template) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Template. func (mg *Template) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -255,14 +207,6 @@ func (mg *Transformation) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Transformation. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Transformation) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Transformation. func (mg *Transformation) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -293,14 +237,6 @@ func (mg *Transformation) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Transformation. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Transformation) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Transformation. func (mg *Transformation) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/transform/v1alpha1/zz_generated.resolvers.go b/apis/transform/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..8e3f210e --- /dev/null +++ b/apis/transform/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,183 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this Alphabet. +func (mg *Alphabet) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.PathRef, + Selector: mg.Spec.ForProvider.PathSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Path") + } + mg.Spec.ForProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.PathRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.PathRef, + Selector: mg.Spec.InitProvider.PathSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Path") + } + mg.Spec.InitProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.PathRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this Role. +func (mg *Role) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.PathRef, + Selector: mg.Spec.ForProvider.PathSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Path") + } + mg.Spec.ForProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.PathRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.PathRef, + Selector: mg.Spec.InitProvider.PathSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Path") + } + mg.Spec.InitProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.PathRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this Template. +func (mg *Template) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.PathRef, + Selector: mg.Spec.ForProvider.PathSelector, + To: reference.To{ + List: &AlphabetList{}, + Managed: &Alphabet{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Path") + } + mg.Spec.ForProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.PathRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.PathRef, + Selector: mg.Spec.InitProvider.PathSelector, + To: reference.To{ + List: &AlphabetList{}, + Managed: &Alphabet{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Path") + } + mg.Spec.InitProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.PathRef = rsp.ResolvedReference + + return nil +} + +// ResolveReferences of this Transformation. +func (mg *Transformation) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.PathRef, + Selector: mg.Spec.ForProvider.PathSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Path") + } + mg.Spec.ForProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.PathRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Path), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.PathRef, + Selector: mg.Spec.InitProvider.PathSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Path") + } + mg.Spec.InitProvider.Path = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.PathRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/transform/v1alpha1/zz_generated_terraformed.go b/apis/transform/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index f1ca095f..00000000 --- a/apis/transform/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,350 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this Alphabet -func (mg *Alphabet) GetTerraformResourceType() string { - return "vault_transform_alphabet" -} - -// GetConnectionDetailsMapping for this Alphabet -func (tr *Alphabet) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Alphabet -func (tr *Alphabet) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Alphabet -func (tr *Alphabet) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Alphabet -func (tr *Alphabet) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Alphabet -func (tr *Alphabet) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Alphabet -func (tr *Alphabet) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Alphabet -func (tr *Alphabet) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Alphabet using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Alphabet) LateInitialize(attrs []byte) (bool, error) { - params := &AlphabetParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Alphabet) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Role -func (mg *Role) GetTerraformResourceType() string { - return "vault_transform_role" -} - -// GetConnectionDetailsMapping for this Role -func (tr *Role) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Role -func (tr *Role) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Role -func (tr *Role) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Role -func (tr *Role) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Role -func (tr *Role) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Role -func (tr *Role) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Role -func (tr *Role) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Role using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Role) LateInitialize(attrs []byte) (bool, error) { - params := &RoleParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Role) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Template -func (mg *Template) GetTerraformResourceType() string { - return "vault_transform_template" -} - -// GetConnectionDetailsMapping for this Template -func (tr *Template) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Template -func (tr *Template) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Template -func (tr *Template) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Template -func (tr *Template) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Template -func (tr *Template) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Template -func (tr *Template) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Template -func (tr *Template) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Template using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Template) LateInitialize(attrs []byte) (bool, error) { - params := &TemplateParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Template) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Transformation -func (mg *Transformation) GetTerraformResourceType() string { - return "vault_transform_transformation" -} - -// GetConnectionDetailsMapping for this Transformation -func (tr *Transformation) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Transformation -func (tr *Transformation) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Transformation -func (tr *Transformation) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Transformation -func (tr *Transformation) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Transformation -func (tr *Transformation) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Transformation -func (tr *Transformation) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Transformation -func (tr *Transformation) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Transformation using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Transformation) LateInitialize(attrs []byte) (bool, error) { - params := &TransformationParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Transformation) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/transform/v1alpha1/zz_role_terraformed.go b/apis/transform/v1alpha1/zz_role_terraformed.go new file mode 100755 index 00000000..89e32019 --- /dev/null +++ b/apis/transform/v1alpha1/zz_role_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Role +func (mg *Role) GetTerraformResourceType() string { + return "vault_transform_role" +} + +// GetConnectionDetailsMapping for this Role +func (tr *Role) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Role +func (tr *Role) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Role +func (tr *Role) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Role +func (tr *Role) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Role +func (tr *Role) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Role +func (tr *Role) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Role +func (tr *Role) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Role +func (tr *Role) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Role using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Role) LateInitialize(attrs []byte) (bool, error) { + params := &RoleParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Role) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/transform/v1alpha1/zz_role_types.go b/apis/transform/v1alpha1/zz_role_types.go index 3ec2e9f9..89810362 100755 --- a/apis/transform/v1alpha1/zz_role_types.go +++ b/apis/transform/v1alpha1/zz_role_types.go @@ -28,8 +28,18 @@ type RoleInitParameters struct { // Path to where the back-end is mounted within Vault. // The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Reference to a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` + // A comma separated string or slice of transformations to use. // A comma separated string or slice of transformations to use. Transformations []*string `json:"transformations,omitempty" tf:"transformations,omitempty"` @@ -75,9 +85,19 @@ type RoleParameters struct { // Path to where the back-end is mounted within Vault. // The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Reference to a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` + // A comma separated string or slice of transformations to use. // A comma separated string or slice of transformations to use. // +kubebuilder:validation:Optional @@ -88,9 +108,8 @@ type RoleParameters struct { type RoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider RoleParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -109,19 +128,19 @@ type RoleStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Role is the Schema for the Roles API. "/transform/role/{name}" -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Role struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec RoleSpec `json:"spec"` Status RoleStatus `json:"status,omitempty"` } diff --git a/apis/transform/v1alpha1/zz_template_terraformed.go b/apis/transform/v1alpha1/zz_template_terraformed.go new file mode 100755 index 00000000..516631ea --- /dev/null +++ b/apis/transform/v1alpha1/zz_template_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Template +func (mg *Template) GetTerraformResourceType() string { + return "vault_transform_template" +} + +// GetConnectionDetailsMapping for this Template +func (tr *Template) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Template +func (tr *Template) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Template +func (tr *Template) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Template +func (tr *Template) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Template +func (tr *Template) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Template +func (tr *Template) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Template +func (tr *Template) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Template +func (tr *Template) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Template using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Template) LateInitialize(attrs []byte) (bool, error) { + params := &TemplateParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Template) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/transform/v1alpha1/zz_template_types.go b/apis/transform/v1alpha1/zz_template_types.go index afcd6b98..8b77d2b7 100755 --- a/apis/transform/v1alpha1/zz_template_types.go +++ b/apis/transform/v1alpha1/zz_template_types.go @@ -23,6 +23,7 @@ type TemplateInitParameters struct { // the decoded output. (requires Vault Enterprise 1.9+) // The map of regular expression templates used to customize decoded outputs. // Only applicable to FPE transformations. + // +mapType=granular DecodeFormats map[string]*string `json:"decodeFormats,omitempty" tf:"decode_formats,omitempty"` // - The regular expression template used to format encoded values. @@ -44,8 +45,18 @@ type TemplateInitParameters struct { // Path to where the back-end is mounted within Vault. // The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/transform/v1alpha1.Alphabet + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Reference to a Alphabet in transform to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a Alphabet in transform to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` + // The pattern used for matching. Currently, only regular expression pattern is supported. // The pattern used for matching. Currently, only regular expression pattern is supported. Pattern *string `json:"pattern,omitempty" tf:"pattern,omitempty"` @@ -65,6 +76,7 @@ type TemplateObservation struct { // the decoded output. (requires Vault Enterprise 1.9+) // The map of regular expression templates used to customize decoded outputs. // Only applicable to FPE transformations. + // +mapType=granular DecodeFormats map[string]*string `json:"decodeFormats,omitempty" tf:"decode_formats,omitempty"` // - The regular expression template used to format encoded values. @@ -111,6 +123,7 @@ type TemplateParameters struct { // The map of regular expression templates used to customize decoded outputs. // Only applicable to FPE transformations. // +kubebuilder:validation:Optional + // +mapType=granular DecodeFormats map[string]*string `json:"decodeFormats,omitempty" tf:"decode_formats,omitempty"` // - The regular expression template used to format encoded values. @@ -135,9 +148,19 @@ type TemplateParameters struct { // Path to where the back-end is mounted within Vault. // The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/transform/v1alpha1.Alphabet + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Reference to a Alphabet in transform to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a Alphabet in transform to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` + // The pattern used for matching. Currently, only regular expression pattern is supported. // The pattern used for matching. Currently, only regular expression pattern is supported. // +kubebuilder:validation:Optional @@ -153,9 +176,8 @@ type TemplateParameters struct { type TemplateSpec struct { v1.ResourceSpec `json:",inline"` ForProvider TemplateParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -174,19 +196,19 @@ type TemplateStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Template is the Schema for the Templates API. "/transform/template/{name}" -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Template struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec TemplateSpec `json:"spec"` Status TemplateStatus `json:"status,omitempty"` } diff --git a/apis/transform/v1alpha1/zz_transformation_terraformed.go b/apis/transform/v1alpha1/zz_transformation_terraformed.go new file mode 100755 index 00000000..62347770 --- /dev/null +++ b/apis/transform/v1alpha1/zz_transformation_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Transformation +func (mg *Transformation) GetTerraformResourceType() string { + return "vault_transform_transformation" +} + +// GetConnectionDetailsMapping for this Transformation +func (tr *Transformation) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Transformation +func (tr *Transformation) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Transformation +func (tr *Transformation) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Transformation +func (tr *Transformation) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Transformation +func (tr *Transformation) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Transformation +func (tr *Transformation) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Transformation +func (tr *Transformation) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Transformation +func (tr *Transformation) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Transformation using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Transformation) LateInitialize(attrs []byte) (bool, error) { + params := &TransformationParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Transformation) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/transform/v1alpha1/zz_transformation_types.go b/apis/transform/v1alpha1/zz_transformation_types.go index bf591bd6..abd0dd19 100755 --- a/apis/transform/v1alpha1/zz_transformation_types.go +++ b/apis/transform/v1alpha1/zz_transformation_types.go @@ -42,8 +42,18 @@ type TransformationInitParameters struct { // Path to where the back-end is mounted within Vault. // The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Reference to a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` + // The name of the template to use. // The name of the template to use. Template *string `json:"template,omitempty" tf:"template,omitempty"` @@ -145,9 +155,19 @@ type TransformationParameters struct { // Path to where the back-end is mounted within Vault. // The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Reference to a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathRef *v1.Reference `json:"pathRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate path. + // +kubebuilder:validation:Optional + PathSelector *v1.Selector `json:"pathSelector,omitempty" tf:"-"` + // The name of the template to use. // The name of the template to use. // +kubebuilder:validation:Optional @@ -173,9 +193,8 @@ type TransformationParameters struct { type TransformationSpec struct { v1.ResourceSpec `json:",inline"` ForProvider TransformationParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -194,19 +213,19 @@ type TransformationStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Transformation is the Schema for the Transformations API. "/transform/transformation/{name}" -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Transformation struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec TransformationSpec `json:"spec"` Status TransformationStatus `json:"status,omitempty"` } diff --git a/apis/transit/v1alpha1/zz_generated.conversion_hubs.go b/apis/transit/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..12b11f9e --- /dev/null +++ b/apis/transit/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *SecretBackendKey) Hub() {} diff --git a/apis/transit/v1alpha1/zz_generated.deepcopy.go b/apis/transit/v1alpha1/zz_generated.deepcopy.go index b3925ed3..24f63171 100644 --- a/apis/transit/v1alpha1/zz_generated.deepcopy.go +++ b/apis/transit/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -48,11 +48,6 @@ func (in *SecretBackendKeyInitParameters) DeepCopyInto(out *SecretBackendKeyInit *out = new(bool) **out = **in } - if in.AutoRotateInterval != nil { - in, out := &in.AutoRotateInterval, &out.AutoRotateInterval - *out = new(float64) - **out = **in - } if in.AutoRotatePeriod != nil { in, out := &in.AutoRotatePeriod, &out.AutoRotatePeriod *out = new(float64) @@ -63,6 +58,16 @@ func (in *SecretBackendKeyInitParameters) DeepCopyInto(out *SecretBackendKeyInit *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.ConvergentEncryption != nil { in, out := &in.ConvergentEncryption, &out.ConvergentEncryption *out = new(bool) @@ -165,11 +170,6 @@ func (in *SecretBackendKeyObservation) DeepCopyInto(out *SecretBackendKeyObserva *out = new(bool) **out = **in } - if in.AutoRotateInterval != nil { - in, out := &in.AutoRotateInterval, &out.AutoRotateInterval - *out = new(float64) - **out = **in - } if in.AutoRotatePeriod != nil { in, out := &in.AutoRotatePeriod, &out.AutoRotatePeriod *out = new(float64) @@ -222,7 +222,8 @@ func (in *SecretBackendKeyObservation) DeepCopyInto(out *SecretBackendKeyObserva if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -306,11 +307,6 @@ func (in *SecretBackendKeyParameters) DeepCopyInto(out *SecretBackendKeyParamete *out = new(bool) **out = **in } - if in.AutoRotateInterval != nil { - in, out := &in.AutoRotateInterval, &out.AutoRotateInterval - *out = new(float64) - **out = **in - } if in.AutoRotatePeriod != nil { in, out := &in.AutoRotatePeriod, &out.AutoRotatePeriod *out = new(float64) @@ -321,6 +317,16 @@ func (in *SecretBackendKeyParameters) DeepCopyInto(out *SecretBackendKeyParamete *out = new(string) **out = **in } + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.BackendSelector != nil { + in, out := &in.BackendSelector, &out.BackendSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.ConvergentEncryption != nil { in, out := &in.ConvergentEncryption, &out.ConvergentEncryption *out = new(bool) diff --git a/apis/transit/v1alpha1/zz_generated.managed.go b/apis/transit/v1alpha1/zz_generated.managed.go index 82c6ccad..f86b4cb9 100644 --- a/apis/transit/v1alpha1/zz_generated.managed.go +++ b/apis/transit/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *SecretBackendKey) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this SecretBackendKey. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *SecretBackendKey) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this SecretBackendKey. func (mg *SecretBackendKey) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *SecretBackendKey) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this SecretBackendKey. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *SecretBackendKey) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this SecretBackendKey. func (mg *SecretBackendKey) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/transit/v1alpha1/zz_generated.resolvers.go b/apis/transit/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..ea9f3a6a --- /dev/null +++ b/apis/transit/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,57 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this SecretBackendKey. +func (mg *SecretBackendKey) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.BackendRef, + Selector: mg.Spec.ForProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Backend") + } + mg.Spec.ForProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.BackendRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Backend), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.BackendRef, + Selector: mg.Spec.InitProvider.BackendSelector, + To: reference.To{ + List: &v1alpha1.MountList{}, + Managed: &v1alpha1.Mount{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Backend") + } + mg.Spec.InitProvider.Backend = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.BackendRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/transit/v1alpha1/zz_generated_terraformed.go b/apis/transit/v1alpha1/zz_secretbackendkey_terraformed.go similarity index 70% rename from apis/transit/v1alpha1/zz_generated_terraformed.go rename to apis/transit/v1alpha1/zz_secretbackendkey_terraformed.go index ee2f060c..30e44e7d 100755 --- a/apis/transit/v1alpha1/zz_generated_terraformed.go +++ b/apis/transit/v1alpha1/zz_secretbackendkey_terraformed.go @@ -7,10 +7,11 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "dario.cat/mergo" "github.com/pkg/errors" - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" ) // GetTerraformResourceType returns Terraform resource type for this SecretBackendKey @@ -79,6 +80,36 @@ func (tr *SecretBackendKey) GetInitParameters() (map[string]any, error) { return base, json.TFParser.Unmarshal(p, &base) } +// GetInitParameters of this SecretBackendKey +func (tr *SecretBackendKey) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + // LateInitialize this SecretBackendKey using its observed tfState. // returns True if there are any spec changes for the resource. func (tr *SecretBackendKey) LateInitialize(attrs []byte) (bool, error) { diff --git a/apis/transit/v1alpha1/zz_secretbackendkey_types.go b/apis/transit/v1alpha1/zz_secretbackendkey_types.go index d489b35b..8a963de1 100755 --- a/apis/transit/v1alpha1/zz_secretbackendkey_types.go +++ b/apis/transit/v1alpha1/zz_secretbackendkey_types.go @@ -19,10 +19,6 @@ type SecretBackendKeyInitParameters struct { // If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled. AllowPlaintextBackup *bool `json:"allowPlaintextBackup,omitempty" tf:"allow_plaintext_backup,omitempty"` - // Replaced by auto_rotate_period. - // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. - AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"` - // Amount of seconds the key should live before being automatically rotated. // A value of 0 disables automatic rotation for the key. // Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. @@ -30,8 +26,18 @@ type SecretBackendKeyInitParameters struct { // The path the transit secret backend is mounted at, with no leading or trailing /s. // The Transit secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. // Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. ConvergentEncryption *bool `json:"convergentEncryption,omitempty" tf:"convergent_encryption,omitempty"` @@ -82,10 +88,6 @@ type SecretBackendKeyObservation struct { // If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled. AllowPlaintextBackup *bool `json:"allowPlaintextBackup,omitempty" tf:"allow_plaintext_backup,omitempty"` - // Replaced by auto_rotate_period. - // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. - AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"` - // Amount of seconds the key should live before being automatically rotated. // A value of 0 disables automatic rotation for the key. // Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. @@ -176,11 +178,6 @@ type SecretBackendKeyParameters struct { // +kubebuilder:validation:Optional AllowPlaintextBackup *bool `json:"allowPlaintextBackup,omitempty" tf:"allow_plaintext_backup,omitempty"` - // Replaced by auto_rotate_period. - // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. - // +kubebuilder:validation:Optional - AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"` - // Amount of seconds the key should live before being automatically rotated. // A value of 0 disables automatic rotation for the key. // Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. @@ -189,9 +186,19 @@ type SecretBackendKeyParameters struct { // The path the transit secret backend is mounted at, with no leading or trailing /s. // The Transit secret backend the resource belongs to. + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.Mount + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` + // Reference to a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendRef *v1.Reference `json:"backendRef,omitempty" tf:"-"` + + // Selector for a Mount in vault to populate backend. + // +kubebuilder:validation:Optional + BackendSelector *v1.Selector `json:"backendSelector,omitempty" tf:"-"` + // Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. // Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. // +kubebuilder:validation:Optional @@ -250,9 +257,8 @@ type SecretBackendKeyParameters struct { type SecretBackendKeySpec struct { v1.ResourceSpec `json:",inline"` ForProvider SecretBackendKeyParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -271,19 +277,19 @@ type SecretBackendKeyStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // SecretBackendKey is the Schema for the SecretBackendKeys API. Create an Encryption Keyring on a Transit Secret Backend for Vault. -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type SecretBackendKey struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" Spec SecretBackendKeySpec `json:"spec"` Status SecretBackendKeyStatus `json:"status,omitempty"` } diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go index 9d284bac..86f2d294 100644 --- a/apis/v1alpha1/zz_generated.deepcopy.go +++ b/apis/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. diff --git a/apis/v1beta1/zz_generated.deepcopy.go b/apis/v1beta1/zz_generated.deepcopy.go index 8814f54a..5a168606 100644 --- a/apis/v1beta1/zz_generated.deepcopy.go +++ b/apis/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. diff --git a/apis/vault/v1alpha1/zz_audit_terraformed.go b/apis/vault/v1alpha1/zz_audit_terraformed.go new file mode 100755 index 00000000..58c4e395 --- /dev/null +++ b/apis/vault/v1alpha1/zz_audit_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Audit +func (mg *Audit) GetTerraformResourceType() string { + return "vault_audit" +} + +// GetConnectionDetailsMapping for this Audit +func (tr *Audit) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Audit +func (tr *Audit) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Audit +func (tr *Audit) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Audit +func (tr *Audit) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Audit +func (tr *Audit) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Audit +func (tr *Audit) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Audit +func (tr *Audit) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Audit +func (tr *Audit) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Audit using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Audit) LateInitialize(attrs []byte) (bool, error) { + params := &AuditParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Audit) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/vault/v1alpha1/zz_audit_types.go b/apis/vault/v1alpha1/zz_audit_types.go index cea0fb30..8302508e 100755 --- a/apis/vault/v1alpha1/zz_audit_types.go +++ b/apis/vault/v1alpha1/zz_audit_types.go @@ -32,6 +32,7 @@ type AuditInitParameters struct { // Configuration options to pass to the audit device itself. // Configuration options to pass to the audit device itself. + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` // The path to mount the audit device. This defaults to the type. @@ -64,6 +65,7 @@ type AuditObservation struct { // Configuration options to pass to the audit device itself. // Configuration options to pass to the audit device itself. + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` // The path to mount the audit device. This defaults to the type. @@ -98,6 +100,7 @@ type AuditParameters struct { // Configuration options to pass to the audit device itself. // Configuration options to pass to the audit device itself. // +kubebuilder:validation:Optional + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` // The path to mount the audit device. This defaults to the type. @@ -115,9 +118,8 @@ type AuditParameters struct { type AuditSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuditParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -136,19 +138,20 @@ type AuditStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Audit is the Schema for the Audits API. Writes audit backends for Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Audit struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.options) || has(self.initProvider.options)",message="options is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.options) || (has(self.initProvider) && has(self.initProvider.options))",message="spec.forProvider.options is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || (has(self.initProvider) && has(self.initProvider.type))",message="spec.forProvider.type is a required parameter" Spec AuditSpec `json:"spec"` Status AuditStatus `json:"status,omitempty"` } diff --git a/apis/vault/v1alpha1/zz_generated.conversion_hubs.go b/apis/vault/v1alpha1/zz_generated.conversion_hubs.go new file mode 100755 index 00000000..2e1fefbe --- /dev/null +++ b/apis/vault/v1alpha1/zz_generated.conversion_hubs.go @@ -0,0 +1,22 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +// Hub marks this type as a conversion hub. +func (tr *Audit) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Mount) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Policy) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *Token) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *VaultNamespace) Hub() {} diff --git a/apis/vault/v1alpha1/zz_generated.deepcopy.go b/apis/vault/v1alpha1/zz_generated.deepcopy.go index 91793da1..355b1912 100644 --- a/apis/vault/v1alpha1/zz_generated.deepcopy.go +++ b/apis/vault/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022 Upbound Inc. @@ -10,6 +9,7 @@ Copyright 2022 Upbound Inc. package v1alpha1 import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -66,7 +66,8 @@ func (in *AuditInitParameters) DeepCopyInto(out *AuditInitParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -158,7 +159,8 @@ func (in *AuditObservation) DeepCopyInto(out *AuditObservation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -213,7 +215,8 @@ func (in *AuditParameters) DeepCopyInto(out *AuditParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -318,6 +321,17 @@ func (in *MountInitParameters) DeepCopyInto(out *MountInitParameters) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -345,6 +359,17 @@ func (in *MountInitParameters) DeepCopyInto(out *MountInitParameters) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -355,6 +380,16 @@ func (in *MountInitParameters) DeepCopyInto(out *MountInitParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -378,18 +413,35 @@ func (in *MountInitParameters) DeepCopyInto(out *MountInitParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) @@ -463,6 +515,17 @@ func (in *MountObservation) DeepCopyInto(out *MountObservation) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -490,6 +553,17 @@ func (in *MountObservation) DeepCopyInto(out *MountObservation) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -505,6 +579,16 @@ func (in *MountObservation) DeepCopyInto(out *MountObservation) { *out = new(string) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -528,18 +612,35 @@ func (in *MountObservation) DeepCopyInto(out *MountObservation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) @@ -576,6 +677,17 @@ func (in *MountParameters) DeepCopyInto(out *MountParameters) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -603,6 +715,17 @@ func (in *MountParameters) DeepCopyInto(out *MountParameters) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -613,6 +736,16 @@ func (in *MountParameters) DeepCopyInto(out *MountParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -636,18 +769,35 @@ func (in *MountParameters) DeepCopyInto(out *MountParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) @@ -942,7 +1092,8 @@ func (in *TokenInitParameters) DeepCopyInto(out *TokenInitParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1095,7 +1246,8 @@ func (in *TokenObservation) DeepCopyInto(out *TokenObservation) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1201,7 +1353,8 @@ func (in *TokenParameters) DeepCopyInto(out *TokenParameters) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1359,7 +1512,8 @@ func (in *VaultNamespaceInitParameters) DeepCopyInto(out *VaultNamespaceInitPara if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1371,6 +1525,16 @@ func (in *VaultNamespaceInitParameters) DeepCopyInto(out *VaultNamespaceInitPara *out = new(string) **out = **in } + if in.NamespaceRef != nil { + in, out := &in.NamespaceRef, &out.NamespaceRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.NamespaceSelector != nil { + in, out := &in.NamespaceSelector, &out.NamespaceSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) @@ -1436,7 +1600,8 @@ func (in *VaultNamespaceObservation) DeepCopyInto(out *VaultNamespaceObservation if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1491,7 +1656,8 @@ func (in *VaultNamespaceParameters) DeepCopyInto(out *VaultNamespaceParameters) if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = new(string) **out = **in } @@ -1503,6 +1669,16 @@ func (in *VaultNamespaceParameters) DeepCopyInto(out *VaultNamespaceParameters) *out = new(string) **out = **in } + if in.NamespaceRef != nil { + in, out := &in.NamespaceRef, &out.NamespaceRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.NamespaceSelector != nil { + in, out := &in.NamespaceSelector, &out.NamespaceSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) diff --git a/apis/vault/v1alpha1/zz_generated.managed.go b/apis/vault/v1alpha1/zz_generated.managed.go index 7d631508..86df7994 100644 --- a/apis/vault/v1alpha1/zz_generated.managed.go +++ b/apis/vault/v1alpha1/zz_generated.managed.go @@ -27,14 +27,6 @@ func (mg *Audit) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Audit. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Audit) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Audit. func (mg *Audit) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -65,14 +57,6 @@ func (mg *Audit) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Audit. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Audit) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Audit. func (mg *Audit) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -103,14 +87,6 @@ func (mg *Mount) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Mount. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Mount) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Mount. func (mg *Mount) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -141,14 +117,6 @@ func (mg *Mount) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Mount. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Mount) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Mount. func (mg *Mount) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -179,14 +147,6 @@ func (mg *Policy) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Policy. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Policy) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Policy. func (mg *Policy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -217,14 +177,6 @@ func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Policy. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Policy) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Policy. func (mg *Policy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -255,14 +207,6 @@ func (mg *Token) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this Token. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *Token) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this Token. func (mg *Token) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -293,14 +237,6 @@ func (mg *Token) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this Token. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *Token) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this Token. func (mg *Token) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r @@ -331,14 +267,6 @@ func (mg *VaultNamespace) GetProviderConfigReference() *xpv1.Reference { return mg.Spec.ProviderConfigReference } -/* -GetProviderReference of this VaultNamespace. -Deprecated: Use GetProviderConfigReference. -*/ -func (mg *VaultNamespace) GetProviderReference() *xpv1.Reference { - return mg.Spec.ProviderReference -} - // GetPublishConnectionDetailsTo of this VaultNamespace. func (mg *VaultNamespace) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { return mg.Spec.PublishConnectionDetailsTo @@ -369,14 +297,6 @@ func (mg *VaultNamespace) SetProviderConfigReference(r *xpv1.Reference) { mg.Spec.ProviderConfigReference = r } -/* -SetProviderReference of this VaultNamespace. -Deprecated: Use SetProviderConfigReference. -*/ -func (mg *VaultNamespace) SetProviderReference(r *xpv1.Reference) { - mg.Spec.ProviderReference = r -} - // SetPublishConnectionDetailsTo of this VaultNamespace. func (mg *VaultNamespace) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { mg.Spec.PublishConnectionDetailsTo = r diff --git a/apis/vault/v1alpha1/zz_generated.resolvers.go b/apis/vault/v1alpha1/zz_generated.resolvers.go new file mode 100644 index 00000000..a858c469 --- /dev/null +++ b/apis/vault/v1alpha1/zz_generated.resolvers.go @@ -0,0 +1,56 @@ +/* +Copyright 2022 Upbound Inc. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this VaultNamespace. +func (mg *VaultNamespace) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Namespace), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.ForProvider.NamespaceRef, + Selector: mg.Spec.ForProvider.NamespaceSelector, + To: reference.To{ + List: &VaultNamespaceList{}, + Managed: &VaultNamespace{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Namespace") + } + mg.Spec.ForProvider.Namespace = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.NamespaceRef = rsp.ResolvedReference + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.Namespace), + Extract: resource.ExtractParamPath("path", false), + Reference: mg.Spec.InitProvider.NamespaceRef, + Selector: mg.Spec.InitProvider.NamespaceSelector, + To: reference.To{ + List: &VaultNamespaceList{}, + Managed: &VaultNamespace{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Namespace") + } + mg.Spec.InitProvider.Namespace = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.NamespaceRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/vault/v1alpha1/zz_generated_terraformed.go b/apis/vault/v1alpha1/zz_generated_terraformed.go deleted file mode 100755 index 9aa038b2..00000000 --- a/apis/vault/v1alpha1/zz_generated_terraformed.go +++ /dev/null @@ -1,434 +0,0 @@ -/* -Copyright 2022 Upbound Inc. -*/ - -// Code generated by upjet. DO NOT EDIT. - -package v1alpha1 - -import ( - "github.com/pkg/errors" - - "github.com/upbound/upjet/pkg/resource" - "github.com/upbound/upjet/pkg/resource/json" -) - -// GetTerraformResourceType returns Terraform resource type for this Audit -func (mg *Audit) GetTerraformResourceType() string { - return "vault_audit" -} - -// GetConnectionDetailsMapping for this Audit -func (tr *Audit) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Audit -func (tr *Audit) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Audit -func (tr *Audit) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Audit -func (tr *Audit) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Audit -func (tr *Audit) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Audit -func (tr *Audit) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Audit -func (tr *Audit) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Audit using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Audit) LateInitialize(attrs []byte) (bool, error) { - params := &AuditParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Audit) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Mount -func (mg *Mount) GetTerraformResourceType() string { - return "vault_mount" -} - -// GetConnectionDetailsMapping for this Mount -func (tr *Mount) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Mount -func (tr *Mount) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Mount -func (tr *Mount) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Mount -func (tr *Mount) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Mount -func (tr *Mount) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Mount -func (tr *Mount) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Mount -func (tr *Mount) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Mount using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Mount) LateInitialize(attrs []byte) (bool, error) { - params := &MountParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Mount) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this VaultNamespace -func (mg *VaultNamespace) GetTerraformResourceType() string { - return "vault_namespace" -} - -// GetConnectionDetailsMapping for this VaultNamespace -func (tr *VaultNamespace) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this VaultNamespace -func (tr *VaultNamespace) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this VaultNamespace -func (tr *VaultNamespace) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this VaultNamespace -func (tr *VaultNamespace) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this VaultNamespace -func (tr *VaultNamespace) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this VaultNamespace -func (tr *VaultNamespace) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this VaultNamespace -func (tr *VaultNamespace) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this VaultNamespace using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *VaultNamespace) LateInitialize(attrs []byte) (bool, error) { - params := &VaultNamespaceParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *VaultNamespace) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Policy -func (mg *Policy) GetTerraformResourceType() string { - return "vault_policy" -} - -// GetConnectionDetailsMapping for this Policy -func (tr *Policy) GetConnectionDetailsMapping() map[string]string { - return nil -} - -// GetObservation of this Policy -func (tr *Policy) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Policy -func (tr *Policy) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Policy -func (tr *Policy) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Policy -func (tr *Policy) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Policy -func (tr *Policy) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Policy -func (tr *Policy) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Policy using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Policy) LateInitialize(attrs []byte) (bool, error) { - params := &PolicyParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Policy) GetTerraformSchemaVersion() int { - return 0 -} - -// GetTerraformResourceType returns Terraform resource type for this Token -func (mg *Token) GetTerraformResourceType() string { - return "vault_token" -} - -// GetConnectionDetailsMapping for this Token -func (tr *Token) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"client_token": "status.atProvider.clientToken", "wrapped_token": "status.atProvider.wrappedToken", "wrapping_accessor": "status.atProvider.wrappingAccessor"} -} - -// GetObservation of this Token -func (tr *Token) GetObservation() (map[string]any, error) { - o, err := json.TFParser.Marshal(tr.Status.AtProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(o, &base) -} - -// SetObservation for this Token -func (tr *Token) SetObservation(obs map[string]any) error { - p, err := json.TFParser.Marshal(obs) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) -} - -// GetID returns ID of underlying Terraform resource of this Token -func (tr *Token) GetID() string { - if tr.Status.AtProvider.ID == nil { - return "" - } - return *tr.Status.AtProvider.ID -} - -// GetParameters of this Token -func (tr *Token) GetParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.ForProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// SetParameters for this Token -func (tr *Token) SetParameters(params map[string]any) error { - p, err := json.TFParser.Marshal(params) - if err != nil { - return err - } - return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) -} - -// GetInitParameters of this Token -func (tr *Token) GetInitParameters() (map[string]any, error) { - p, err := json.TFParser.Marshal(tr.Spec.InitProvider) - if err != nil { - return nil, err - } - base := map[string]any{} - return base, json.TFParser.Unmarshal(p, &base) -} - -// LateInitialize this Token using its observed tfState. -// returns True if there are any spec changes for the resource. -func (tr *Token) LateInitialize(attrs []byte) (bool, error) { - params := &TokenParameters{} - if err := json.TFParser.Unmarshal(attrs, params); err != nil { - return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") - } - opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} - - li := resource.NewGenericLateInitializer(opts...) - return li.LateInitialize(&tr.Spec.ForProvider, params) -} - -// GetTerraformSchemaVersion returns the associated Terraform schema version -func (tr *Token) GetTerraformSchemaVersion() int { - return 0 -} diff --git a/apis/vault/v1alpha1/zz_mount_terraformed.go b/apis/vault/v1alpha1/zz_mount_terraformed.go new file mode 100755 index 00000000..4ccc7a3b --- /dev/null +++ b/apis/vault/v1alpha1/zz_mount_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Mount +func (mg *Mount) GetTerraformResourceType() string { + return "vault_mount" +} + +// GetConnectionDetailsMapping for this Mount +func (tr *Mount) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Mount +func (tr *Mount) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Mount +func (tr *Mount) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Mount +func (tr *Mount) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Mount +func (tr *Mount) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Mount +func (tr *Mount) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Mount +func (tr *Mount) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Mount +func (tr *Mount) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Mount using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Mount) LateInitialize(attrs []byte) (bool, error) { + params := &MountParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Mount) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/vault/v1alpha1/zz_mount_types.go b/apis/vault/v1alpha1/zz_mount_types.go index 1b0a5cd7..1da79708 100755 --- a/apis/vault/v1alpha1/zz_mount_types.go +++ b/apis/vault/v1alpha1/zz_mount_types.go @@ -17,8 +17,14 @@ type MountInitParameters struct { // Set of managed key registry entry names that the mount in question is allowed to access // List of managed key registry entry names that the mount in question is allowed to access + // +listType=set AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow, allowing a plugin to include + // them in the response. + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -31,6 +37,11 @@ type MountInitParameters struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of allowed authentication mount accessors the + // backend can request delegated authentication for. + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -39,6 +50,16 @@ type MountInitParameters struct { // Enable the secrets engine to access Vault's external entropy source ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"` + // The key to use for signing plugin workload identity tokens. If + // not provided, this will default to Vault's OIDC default key. + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // Specifies whether to show this mount in the UI-specific + // listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -56,12 +77,24 @@ type MountInitParameters struct { // Specifies mount type specific options that are passed to the backend // Specifies mount type specific options that are passed to the backend + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to + // the plugin. + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + // If unspecified, the server will select any matching unversioned plugin that may have been + // registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"` @@ -79,8 +112,14 @@ type MountObservation struct { // Set of managed key registry entry names that the mount in question is allowed to access // List of managed key registry entry names that the mount in question is allowed to access + // +listType=set AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow, allowing a plugin to include + // them in the response. + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -93,6 +132,11 @@ type MountObservation struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of allowed authentication mount accessors the + // backend can request delegated authentication for. + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -103,6 +147,16 @@ type MountObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The key to use for signing plugin workload identity tokens. If + // not provided, this will default to Vault's OIDC default key. + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // Specifies whether to show this mount in the UI-specific + // listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -120,12 +174,24 @@ type MountObservation struct { // Specifies mount type specific options that are passed to the backend // Specifies mount type specific options that are passed to the backend + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to + // the plugin. + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + // If unspecified, the server will select any matching unversioned plugin that may have been + // registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"` @@ -140,8 +206,15 @@ type MountParameters struct { // Set of managed key registry entry names that the mount in question is allowed to access // List of managed key registry entry names that the mount in question is allowed to access // +kubebuilder:validation:Optional + // +listType=set AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow, allowing a plugin to include + // them in the response. + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // +kubebuilder:validation:Optional @@ -157,6 +230,12 @@ type MountParameters struct { // +kubebuilder:validation:Optional DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of allowed authentication mount accessors the + // backend can request delegated authentication for. + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount // +kubebuilder:validation:Optional @@ -167,6 +246,18 @@ type MountParameters struct { // +kubebuilder:validation:Optional ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"` + // The key to use for signing plugin workload identity tokens. If + // not provided, this will default to Vault's OIDC default key. + // The key to use for signing plugin workload identity tokens + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // Specifies whether to show this mount in the UI-specific + // listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. + // Specifies whether to show this mount in the UI-specific listing endpoint + // +kubebuilder:validation:Optional + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment // +kubebuilder:validation:Optional @@ -188,13 +279,27 @@ type MountParameters struct { // Specifies mount type specific options that are passed to the backend // Specifies mount type specific options that are passed to the backend // +kubebuilder:validation:Optional + // +mapType=granular Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to + // the plugin. + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + // If unspecified, the server will select any matching unversioned plugin that may have been + // registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + // +kubebuilder:validation:Optional + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability // +kubebuilder:validation:Optional @@ -210,9 +315,8 @@ type MountParameters struct { type MountSpec struct { v1.ResourceSpec `json:",inline"` ForProvider MountParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -231,19 +335,20 @@ type MountStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Mount is the Schema for the Mounts API. Managing the mounting of secret backends in Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Mount struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || has(self.initProvider.type)",message="type is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || (has(self.initProvider) && has(self.initProvider.path))",message="spec.forProvider.path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.type) || (has(self.initProvider) && has(self.initProvider.type))",message="spec.forProvider.type is a required parameter" Spec MountSpec `json:"spec"` Status MountStatus `json:"status,omitempty"` } diff --git a/apis/vault/v1alpha1/zz_policy_terraformed.go b/apis/vault/v1alpha1/zz_policy_terraformed.go new file mode 100755 index 00000000..51b916e3 --- /dev/null +++ b/apis/vault/v1alpha1/zz_policy_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Policy +func (mg *Policy) GetTerraformResourceType() string { + return "vault_policy" +} + +// GetConnectionDetailsMapping for this Policy +func (tr *Policy) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Policy +func (tr *Policy) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Policy +func (tr *Policy) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Policy +func (tr *Policy) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Policy +func (tr *Policy) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Policy +func (tr *Policy) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Policy +func (tr *Policy) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Policy +func (tr *Policy) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Policy using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Policy) LateInitialize(attrs []byte) (bool, error) { + params := &PolicyParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Policy) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/vault/v1alpha1/zz_policy_types.go b/apis/vault/v1alpha1/zz_policy_types.go index 38679b20..86bbe5ce 100755 --- a/apis/vault/v1alpha1/zz_policy_types.go +++ b/apis/vault/v1alpha1/zz_policy_types.go @@ -75,9 +75,8 @@ type PolicyParameters struct { type PolicySpec struct { v1.ResourceSpec `json:",inline"` ForProvider PolicyParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -96,19 +95,20 @@ type PolicyStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Policy is the Schema for the Policys API. Writes arbitrary policies for Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Policy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || has(self.initProvider.policy)",message="policy is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || (has(self.initProvider) && has(self.initProvider.name))",message="spec.forProvider.name is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.policy) || (has(self.initProvider) && has(self.initProvider.policy))",message="spec.forProvider.policy is a required parameter" Spec PolicySpec `json:"spec"` Status PolicyStatus `json:"status,omitempty"` } diff --git a/apis/vault/v1alpha1/zz_token_terraformed.go b/apis/vault/v1alpha1/zz_token_terraformed.go new file mode 100755 index 00000000..af7d0cd9 --- /dev/null +++ b/apis/vault/v1alpha1/zz_token_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Token +func (mg *Token) GetTerraformResourceType() string { + return "vault_token" +} + +// GetConnectionDetailsMapping for this Token +func (tr *Token) GetConnectionDetailsMapping() map[string]string { + return map[string]string{"client_token": "status.atProvider.clientToken", "wrapped_token": "status.atProvider.wrappedToken", "wrapping_accessor": "status.atProvider.wrappingAccessor"} +} + +// GetObservation of this Token +func (tr *Token) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Token +func (tr *Token) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Token +func (tr *Token) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Token +func (tr *Token) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Token +func (tr *Token) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Token +func (tr *Token) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Token +func (tr *Token) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Token using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Token) LateInitialize(attrs []byte) (bool, error) { + params := &TokenParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Token) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/vault/v1alpha1/zz_token_types.go b/apis/vault/v1alpha1/zz_token_types.go index b9c17885..435f677a 100755 --- a/apis/vault/v1alpha1/zz_token_types.go +++ b/apis/vault/v1alpha1/zz_token_types.go @@ -25,6 +25,7 @@ type TokenInitParameters struct { // Metadata to be set on this token // Metadata to be associated with the token. + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // The namespace to provision the resource in. @@ -52,6 +53,7 @@ type TokenInitParameters struct { // List of policies to attach to this token // List of policies. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // The renew increment. This is specified in seconds @@ -101,6 +103,7 @@ type TokenObservation struct { // Metadata to be set on this token // Metadata to be associated with the token. + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // The namespace to provision the resource in. @@ -128,6 +131,7 @@ type TokenObservation struct { // List of policies to attach to this token // List of policies. + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // The renew increment. This is specified in seconds @@ -170,6 +174,7 @@ type TokenParameters struct { // Metadata to be set on this token // Metadata to be associated with the token. // +kubebuilder:validation:Optional + // +mapType=granular Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"` // The namespace to provision the resource in. @@ -203,6 +208,7 @@ type TokenParameters struct { // List of policies to attach to this token // List of policies. // +kubebuilder:validation:Optional + // +listType=set Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` // The renew increment. This is specified in seconds @@ -240,9 +246,8 @@ type TokenParameters struct { type TokenSpec struct { v1.ResourceSpec `json:",inline"` ForProvider TokenParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -261,13 +266,14 @@ type TokenStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // Token is the Schema for the Tokens API. Writes token for Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type Token struct { metav1.TypeMeta `json:",inline"` diff --git a/apis/vault/v1alpha1/zz_vaultnamespace_terraformed.go b/apis/vault/v1alpha1/zz_vaultnamespace_terraformed.go new file mode 100755 index 00000000..14b49f1e --- /dev/null +++ b/apis/vault/v1alpha1/zz_vaultnamespace_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this VaultNamespace +func (mg *VaultNamespace) GetTerraformResourceType() string { + return "vault_namespace" +} + +// GetConnectionDetailsMapping for this VaultNamespace +func (tr *VaultNamespace) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this VaultNamespace +func (tr *VaultNamespace) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this VaultNamespace +func (tr *VaultNamespace) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this VaultNamespace +func (tr *VaultNamespace) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this VaultNamespace +func (tr *VaultNamespace) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this VaultNamespace +func (tr *VaultNamespace) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this VaultNamespace +func (tr *VaultNamespace) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this VaultNamespace +func (tr *VaultNamespace) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this VaultNamespace using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *VaultNamespace) LateInitialize(attrs []byte) (bool, error) { + params := &VaultNamespaceParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *VaultNamespace) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/vault/v1alpha1/zz_vaultnamespace_types.go b/apis/vault/v1alpha1/zz_vaultnamespace_types.go index 22c79640..aa76334f 100755 --- a/apis/vault/v1alpha1/zz_vaultnamespace_types.go +++ b/apis/vault/v1alpha1/zz_vaultnamespace_types.go @@ -18,6 +18,7 @@ type VaultNamespaceInitParameters struct { // Custom metadata describing this namespace. Value type // is map[string]string. Requires Vault version 1.12+. // Custom metadata describing this namespace. Value type is map[string]string. + // +mapType=granular CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"` // The namespace to provision the resource in. @@ -25,8 +26,18 @@ type VaultNamespaceInitParameters struct { // The namespace is always relative to the provider's configured namespace. // Available only for Vault Enterprise. // Target namespace. (requires Enterprise) + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.VaultNamespace + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Reference to a VaultNamespace in vault to populate namespace. + // +kubebuilder:validation:Optional + NamespaceRef *v1.Reference `json:"namespaceRef,omitempty" tf:"-"` + + // Selector for a VaultNamespace in vault to populate namespace. + // +kubebuilder:validation:Optional + NamespaceSelector *v1.Selector `json:"namespaceSelector,omitempty" tf:"-"` + // The path of the namespace. Must not have a trailing /. // Namespace path. Path *string `json:"path,omitempty" tf:"path,omitempty"` @@ -42,6 +53,7 @@ type VaultNamespaceObservation struct { // Custom metadata describing this namespace. Value type // is map[string]string. Requires Vault version 1.12+. // Custom metadata describing this namespace. Value type is map[string]string. + // +mapType=granular CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"` // The fully qualified path to the namespace, including the provider namespace and a trailing slash. @@ -74,6 +86,7 @@ type VaultNamespaceParameters struct { // is map[string]string. Requires Vault version 1.12+. // Custom metadata describing this namespace. Value type is map[string]string. // +kubebuilder:validation:Optional + // +mapType=granular CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"` // The namespace to provision the resource in. @@ -81,9 +94,19 @@ type VaultNamespaceParameters struct { // The namespace is always relative to the provider's configured namespace. // Available only for Vault Enterprise. // Target namespace. (requires Enterprise) + // +crossplane:generate:reference:type=github.com/upbound/provider-vault/apis/vault/v1alpha1.VaultNamespace + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("path",false) // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Reference to a VaultNamespace in vault to populate namespace. + // +kubebuilder:validation:Optional + NamespaceRef *v1.Reference `json:"namespaceRef,omitempty" tf:"-"` + + // Selector for a VaultNamespace in vault to populate namespace. + // +kubebuilder:validation:Optional + NamespaceSelector *v1.Selector `json:"namespaceSelector,omitempty" tf:"-"` + // The path of the namespace. Must not have a trailing /. // Namespace path. // +kubebuilder:validation:Optional @@ -100,9 +123,8 @@ type VaultNamespaceParameters struct { type VaultNamespaceSpec struct { v1.ResourceSpec `json:",inline"` ForProvider VaultNamespaceParameters `json:"forProvider"` - // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored - // unless the relevant Crossplane feature flag is enabled, and may be - // changed or removed without notice. + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. @@ -121,18 +143,19 @@ type VaultNamespaceStatus struct { } // +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion // VaultNamespace is the Schema for the VaultNamespaces API. Writes namespaces for Vault -// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:subresource:status // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault} type VaultNamespace struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || has(self.initProvider.path)",message="path is a required parameter" + // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.path) || (has(self.initProvider) && has(self.initProvider.path))",message="spec.forProvider.path is a required parameter" Spec VaultNamespaceSpec `json:"spec"` Status VaultNamespaceStatus `json:"status,omitempty"` } diff --git a/cluster/images/provider-vault/Dockerfile b/cluster/images/provider-vault/Dockerfile index 84c445ee..50a1e11e 100644 --- a/cluster/images/provider-vault/Dockerfile +++ b/cluster/images/provider-vault/Dockerfile @@ -1,5 +1,5 @@ -FROM alpine:3.16.2 -RUN apk --no-cache add ca-certificates bash +FROM alpine:3.20.3 +RUN apk --no-cache add ca-certificates>=20220614-r0 bash~=5 ARG TARGETOS ARG TARGETARCH @@ -8,41 +8,6 @@ ADD "bin/${TARGETOS}_${TARGETARCH}/provider" /usr/local/bin/provider ENV USER_ID=65532 -# Setup Terraform environment - -## Provider-dependent configuration -ARG TERRAFORM_VERSION -ARG TERRAFORM_PROVIDER_SOURCE -ARG TERRAFORM_PROVIDER_VERSION -ARG TERRAFORM_PROVIDER_DOWNLOAD_NAME -ARG TERRAFORM_NATIVE_PROVIDER_BINARY -## End of - Provider-dependent configuration - -ENV PLUGIN_DIR /terraform/provider-mirror/registry.terraform.io/${TERRAFORM_PROVIDER_SOURCE}/${TERRAFORM_PROVIDER_VERSION}/${TARGETOS}_${TARGETARCH} -ENV TF_CLI_CONFIG_FILE /terraform/.terraformrc -ENV TF_FORK 0 - -RUN mkdir -p ${PLUGIN_DIR} - -ADD https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip /tmp -ADD https://releases.hashicorp.com/${TERRAFORM_PROVIDER_DOWNLOAD_NAME}/${TERRAFORM_PROVIDER_VERSION}/${TERRAFORM_PROVIDER_DOWNLOAD_NAME}_${TERRAFORM_PROVIDER_VERSION}_${TARGETOS}_${TARGETARCH}.zip /tmp -ADD terraformrc.hcl ${TF_CLI_CONFIG_FILE} - -RUN unzip /tmp/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/local/bin \ - && chmod +x /usr/local/bin/terraform \ - && rm /tmp/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip \ - && unzip /tmp/${TERRAFORM_PROVIDER_DOWNLOAD_NAME}_${TERRAFORM_PROVIDER_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d ${PLUGIN_DIR} \ - && chmod +x ${PLUGIN_DIR}/* \ - && rm /tmp/${TERRAFORM_PROVIDER_DOWNLOAD_NAME}_${TERRAFORM_PROVIDER_VERSION}_${TARGETOS}_${TARGETARCH}.zip \ - && chown -R ${USER_ID}:${USER_ID} /terraform -# End of - Setup Terraform environment - -# Provider controller needs these environment variable at runtime -ENV TERRAFORM_VERSION ${TERRAFORM_VERSION} -ENV TERRAFORM_PROVIDER_SOURCE ${TERRAFORM_PROVIDER_SOURCE} -ENV TERRAFORM_PROVIDER_VERSION ${TERRAFORM_PROVIDER_VERSION} -ENV TERRAFORM_NATIVE_PROVIDER_PATH ${PLUGIN_DIR}/${TERRAFORM_NATIVE_PROVIDER_BINARY} - USER ${USER_ID} EXPOSE 8080 diff --git a/cluster/test/setup.sh b/cluster/test/setup.sh index 03485b1b..7cf476d5 100755 --- a/cluster/test/setup.sh +++ b/cluster/test/setup.sh @@ -62,8 +62,16 @@ while [[ "$VAULT_NOT_RUNNING" == "true" ]]; do fi done -echo "Initializing vault and obtaining unseal keys" -${KUBECTL} exec -n vault --stdin vault-0 -- vault operator init -format=yaml > vault-auto-unseal-keys.yaml +SECRET_EXISTS=$(${KUBECTL} get secret vault-auto-unseal-keys --ignore-not-found) +if [[ "$SECRET_EXISTS" = "" ]]; then + echo "Initializing vault and obtaining unseal keys" + ${KUBECTL} exec -n vault --stdin vault-0 -- vault operator init -format=yaml > vault-auto-unseal-keys.yaml + echo "Creating secret with unseal keys" + ${KUBECTL} create secret generic vault-auto-unseal-keys --from-file=keys=./vault-auto-unseal-keys.yaml +else + echo "Secret vault-auto-unseal-keys exists. Fetching and decoding the keys." + ${KUBECTL} get secret vault-auto-unseal-keys -o jsonpath='{.data.keys}' | base64 --decode > vault-auto-unseal-keys.yaml +fi echo_info "vault-auto-unseal-keys.yaml" cat vault-auto-unseal-keys.yaml @@ -87,11 +95,7 @@ metadata: namespace: vault type: Opaque stringData: - credentials: | - { - "token_name": "vault-creds-test-token", - "token": "$VAULT_ROOT_TOKEN" - } + credentials: '{"token": "$VAULT_ROOT_TOKEN"}' EOF echo_info "Applying providerconfig" @@ -103,21 +107,12 @@ metadata: name: vault-provider-config spec: address: http://$VAULT_0_POD_IP:8200 - add_address_to_env: false - headers: {name: test, value: "e2e"} - max_lease_ttl_seconds: 300 - max_retries: 10 - max_retries_ccc: 10 - namespace: vault skip_child_token: true - skip_get_vault_version: true skip_tls_verify: true - tls_server_name: "" - vault_version_override: "1.12.0" credentials: source: Secret secretRef: - name: vault-creds namespace: vault + name: vault-creds key: credentials EOF diff --git a/cmd/generator/main.go b/cmd/generator/main.go index caddffae..0f35180c 100644 --- a/cmd/generator/main.go +++ b/cmd/generator/main.go @@ -5,11 +5,12 @@ Copyright 2021 Upbound Inc. package main import ( + "context" "fmt" "os" "path/filepath" - "github.com/upbound/upjet/pkg/pipeline" + "github.com/crossplane/upjet/pkg/pipeline" "github.com/upbound/provider-vault/config" ) @@ -23,5 +24,9 @@ func main() { if err != nil { panic(fmt.Sprintf("cannot calculate the absolute path with %s", rootDir)) } - pipeline.Run(config.GetProvider(), absRootDir) + p, err := config.GetProvider(context.Background(), true) + if err != nil { + panic(fmt.Sprintf("cannot get provider configuration: %v", err)) + } + pipeline.Run(p, absRootDir) } diff --git a/cmd/provider/main.go b/cmd/provider/main.go index 7ce76cec..634ff5eb 100644 --- a/cmd/provider/main.go +++ b/cmd/provider/main.go @@ -6,6 +6,7 @@ package main import ( "context" + "fmt" "os" "path/filepath" "time" @@ -16,41 +17,55 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/feature" "github.com/crossplane/crossplane-runtime/pkg/logging" "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/controller/handler" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" "gopkg.in/alecthomas/kingpin.v2" kerrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/tools/leaderelection/resourcelock" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics" "github.com/upbound/provider-vault/apis" "github.com/upbound/provider-vault/apis/v1alpha1" "github.com/upbound/provider-vault/config" "github.com/upbound/provider-vault/internal/clients" + "github.com/upbound/provider-vault/internal/controller" "github.com/upbound/provider-vault/internal/features" ) +func deprecationAction(flagName string) kingpin.Action { + return func(c *kingpin.ParseContext) error { + _, err := fmt.Fprintf(os.Stderr, "warning: Command-line flag %q is deprecated and no longer used. It will be removed in a future release. Please remove it from all of your configurations (ControllerConfigs, etc.).\n", flagName) + kingpin.FatalIfError(err, "Failed to print the deprecation notice.") + return nil + } +} + func main() { var ( - app = kingpin.New(filepath.Base(os.Args[0]), "Terraform based Crossplane provider for Vault").DefaultEnvars() - debug = app.Flag("debug", "Run with debug logging.").Short('d').Bool() - syncPeriod = app.Flag("sync", "Controller manager sync period such as 300ms, 1.5h, or 2h45m").Short('s').Default("1h").Duration() - pollInterval = app.Flag("poll", "Poll interval controls how often an individual resource should be checked for drift.").Default("10m").Duration() - leaderElection = app.Flag("leader-election", "Use leader election for the controller manager.").Short('l').Default("false").OverrideDefaultFromEnvar("LEADER_ELECTION").Bool() - maxReconcileRate = app.Flag("max-reconcile-rate", "The global maximum rate per second at which resources may checked for drift from the desired state.").Default("10").Int() - nativeProviderSource = app.Flag("terraform-provider-source", "Terraform provider source.").Required().Envar("TERRAFORM_PROVIDER_SOURCE").String() - terraformVersion = app.Flag("terraform-version", "Terraform version.").Required().Envar("TERRAFORM_VERSION").String() - providerVersion = app.Flag("terraform-provider-version", "Terraform provider version.").Required().Envar("TERRAFORM_PROVIDER_VERSION").String() + app = kingpin.New(filepath.Base(os.Args[0]), "Terraform based Crossplane provider for Vault").DefaultEnvars() + debug = app.Flag("debug", "Run with debug logging.").Short('d').Bool() + syncPeriod = app.Flag("sync", "Controller manager sync period such as 300ms, 1.5h, or 2h45m").Short('s').Default("1h").Duration() + pollInterval = app.Flag("poll", "Poll interval controls how often an individual resource should be checked for drift.").Default("10m").Duration() + pollStateMetricInterval = app.Flag("poll-state-metric", "State metric recording interval").Default("5s").Duration() + leaderElection = app.Flag("leader-election", "Use leader election for the controller manager.").Short('l').Default("false").OverrideDefaultFromEnvar("LEADER_ELECTION").Bool() + maxReconcileRate = app.Flag("max-reconcile-rate", "The global maximum rate per second at which resources may checked for drift from the desired state.").Default("10").Int() namespace = app.Flag("namespace", "Namespace used to set as default scope in default secret store config.").Default("upbound-system").Envar("POD_NAMESPACE").String() enableExternalSecretStores = app.Flag("enable-external-secret-stores", "Enable support for ExternalSecretStores.").Default("false").Envar("ENABLE_EXTERNAL_SECRET_STORES").Bool() essTLSCertsPath = app.Flag("ess-tls-cert-dir", "Path of ESS TLS certificates.").Envar("ESS_TLS_CERTS_DIR").String() - enableManagementPolicies = app.Flag("enable-management-policies", "Enable support for Management Policies.").Default("false").Envar("ENABLE_MANAGEMENT_POLICIES").Bool() + enableManagementPolicies = app.Flag("enable-management-policies", "Enable support for Management Policies.").Default("true").Envar("ENABLE_MANAGEMENT_POLICIES").Bool() + + // now deprecated command-line arguments with the Terraform SDK-based upjet architecture + _ = app.Flag("terraform-provider-source", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform provider source.").Envar("TERRAFORM_PROVIDER_SOURCE").Hidden().Action(deprecationAction("terraform-provider-source")).String() + _ = app.Flag("terraform-version", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform version.").Envar("TERRAFORM_VERSION").Hidden().Action(deprecationAction("terraform-version")).String() + _ = app.Flag("terraform-provider-version", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform provider version.").Envar("TERRAFORM_PROVIDER_VERSION").Hidden().Action(deprecationAction("terraform-provider-version")).String() ) kingpin.MustParse(app.Parse(os.Args[1:])) @@ -66,13 +81,20 @@ func main() { log.Debug("Starting", "sync-period", syncPeriod.String(), "poll-interval", pollInterval.String(), "max-reconcile-rate", *maxReconcileRate) + // currently, we configure the jitter to be the 5% of the poll interval + pollJitter := time.Duration(float64(*pollInterval) * 0.05) + log.Debug("Starting", "sync-interval", syncPeriod.String(), + "poll-interval", pollInterval.String(), "poll-jitter", pollJitter, "max-reconcile-rate", *maxReconcileRate) + cfg, err := ctrl.GetConfig() kingpin.FatalIfError(err, "Cannot get API server rest config") mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - LeaderElection: *leaderElection, - LeaderElectionID: "crossplane-leader-election-provider-vault", - SyncPeriod: syncPeriod, + LeaderElection: *leaderElection, + LeaderElectionID: "crossplane-leader-election-provider-vault", + Cache: cache.Options{ + SyncPeriod: syncPeriod, + }, LeaderElectionResourceLock: resourcelock.LeasesResourceLock, LeaseDuration: func() *time.Duration { d := 60 * time.Second; return &d }(), RenewDeadline: func() *time.Duration { d := 50 * time.Second; return &d }(), @@ -80,6 +102,15 @@ func main() { kingpin.FatalIfError(err, "Cannot create controller manager") kingpin.FatalIfError(apis.AddToScheme(mgr.GetScheme()), "Cannot add Vault APIs to scheme") + metricRecorder := managed.NewMRMetricRecorder() + stateMetrics := statemetrics.NewMRStateMetrics() + + metrics.Registry.MustRegister(metricRecorder) + metrics.Registry.MustRegister(stateMetrics) + + ctx := context.Background() + provider, err := config.GetProvider(ctx, false) + kingpin.FatalIfError(err, "Cannot initialize the provider configuration") featureFlags := &feature.Flags{} o := tjcontroller.Options{ Options: xpcontroller.Options{ @@ -88,11 +119,16 @@ func main() { PollInterval: *pollInterval, MaxConcurrentReconciles: *maxReconcileRate, Features: featureFlags, + MetricOptions: &xpcontroller.MetricOptions{ + PollStateMetricInterval: *pollStateMetricInterval, + MRMetrics: metricRecorder, + MRStateMetrics: stateMetrics, + }, }, - Provider: config.GetProvider(), - SetupFn: clients.TerraformSetupBuilder(*terraformVersion, *nativeProviderSource, *providerVersion), - WorkspaceStore: terraform.NewWorkspaceStore(log, terraform.WithFeatures(featureFlags)), - EventHandler: handler.NewEventHandler(), + Provider: provider, + SetupFn: clients.TerraformSetupBuilder(provider.TerraformProvider), + PollJitter: pollJitter, + OperationTrackerStore: tjcontroller.NewOperationStore(log), } if *enableExternalSecretStores { @@ -124,8 +160,8 @@ func main() { } if *enableManagementPolicies { - o.Features.Enable(features.EnableAlphaManagementPolicies) - log.Info("Alpha feature enabled", "flag", features.EnableAlphaManagementPolicies) + o.Features.Enable(features.EnableBetaManagementPolicies) + log.Info("Beta feature enabled", "flag", features.EnableBetaManagementPolicies) } kingpin.FatalIfError(controller.Setup(mgr, o), "Cannot setup Vault controllers") diff --git a/config/config.go.template b/config/config.go.template index bc77d30b..a5e22af8 100644 --- a/config/config.go.template +++ b/config/config.go.template @@ -1,6 +1,6 @@ package DIR_NAME -import "github.com/upbound/upjet/pkg/config" +import "github.com/crossplane/upjet/pkg/config" // Configure configures individual resources by adding custom ResourceConfigurators. func Configure(p *config.Provider) { diff --git a/config/externalname.go b/config/externalname.go index fe8d3996..17aca93c 100644 --- a/config/externalname.go +++ b/config/externalname.go @@ -4,7 +4,7 @@ Copyright 2022 Upbound Inc. package config -import "github.com/upbound/upjet/pkg/config" +import "github.com/crossplane/upjet/pkg/config" // ExternalNameConfigs contains all external name configurations for this // provider. diff --git a/config/provider-metadata.yaml b/config/provider-metadata.yaml index 50f98979..3be72ac2 100644 --- a/config/provider-metadata.yaml +++ b/config/provider-metadata.yaml @@ -39,7 +39,6 @@ resources: postal_code: '- (Optional) The postal code' province: '- (Optional) The province' revoke: '- If set to true, the certificate will be revoked on resource destruction.' - serial: '- Use serial_number instead.' serial_number: '- The certificate''s serial number, hex formatted.' street_address: '- (Optional) The street address' ttl: '- (Optional) Time to live' @@ -88,7 +87,6 @@ resources: - (Optional) If set, opts out of mount migration on path updates. See here for more info on Mount Migration discoverdn: '- (Optional) Use anonymous bind to discover the bind Distinguished Name of a user.' - formatter: '- (Optional) Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".' groupattr: |- - (Optional) LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn. @@ -102,9 +100,6 @@ resources: last_rotation_tolerance: |- - (Optional) The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band - length: |- - - (Optional) Deprecated use password_policy. The desired length of passwords that Vault generates. - Mutually exclusive with local: |- - (Optional) Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. @@ -115,7 +110,7 @@ resources: The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password_policy: on vault-1.11+ + password_policy: '- (Optional) Name of the password policy to use to generate passwords.' request_timeout: |- - (Optional) Timeout, in seconds, for the connection when making requests against the server before returning back an error. @@ -577,10 +572,7 @@ resources: allowed_dns_sans: '- (Optional array: []) Allowed alternative dns names for authenticated client certificates' allowed_email_sans: '- (Optional array: []) Allowed emails for authenticated client certificates' allowed_names: '- (Optional string) DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates' - allowed_organization_units: ', please update accordingly' - allowed_organizational_units: |- - - (Optional array: []) Allowed organization units for authenticated client certificates. - In previous provider releases this field was incorrectly named + allowed_organizational_units: '- (Optional array: []) Allowed organization units for authenticated client certificates.' allowed_uri_sans: '- (Optional array: []) Allowed URIs for authenticated client certificates' backend: '- (Optional string: "cert") Path to the mounted Cert auth backend' certificate: '- (Required string) CA certificate used to validate client certificates' @@ -684,6 +676,41 @@ resources: token: |- - (Optional) The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled. + token_bound_cidrs: |- + - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + token_explicit_max_ttl: |- + - (Optional) If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + token_max_ttl: |- + - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + token_no_default_policy: |- + - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + token_num_uses: |- + - (Optional) The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + token_period: |- + - (Optional) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. + token_policies: |- + - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + token_ttl: |- + - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + token_type: |- + - (Optional) The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. ttl: |- - (Optional) Duration after which authentication will be expired. See the documentation for info on valid duration formats. @@ -767,6 +794,18 @@ resources: name: vault_aws_auth_backend_client title: vault_aws_auth_backend_client resource examples: + - name: example + manifest: |- + { + "identity_token_audience": "\u003cTOKEN_AUDIENCE\u003e", + "identity_token_ttl": "\u003cTOKEN_TTL\u003e", + "role_arn": "\u003cAWS_ROLE_ARN\u003e" + } + dependencies: + vault_auth_backend.example: |- + { + "type": "aws" + } - name: example manifest: |- { @@ -784,7 +823,7 @@ resources: argumentDocs: access_key: |- - (Optional) The AWS access key that Vault should use for the - auth backend. + auth backend. Mutually exclusive with identity_token_audience. backend: |- - (Optional) The path the AWS auth backend being configured was mounted at. Defaults to aws. @@ -798,11 +837,23 @@ resources: - (Optional) The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method. + identity_token_audience: |- + - (Optional) The audience claim value. Mutually exclusive with access_key. + Requires Vault 1.17+. Available only for Vault Enterprise + identity_token_ttl: |- + - (Optional) The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + Available only for Vault Enterprise + max_retries: |- + - (Optional) Number of max retries the client should use for recoverable errors. + The default -1 falls back to the AWS SDK's default behavior. namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. + role_arn: |- + - (Optional) Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + Available only for Vault Enterprise secret_key: |- - (Optional) The AWS secret key that Vault should use for the auth backend. @@ -1397,6 +1448,9 @@ resources: and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. + external_id: |- + (Optional) - External ID to set for assume role creds. + Valid only when credential_type is set to assumed_role. iam_groups: |- (Optional) - A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential @@ -1404,6 +1458,9 @@ resources: corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. + iam_tags: |- + (Optional) - A map of strings representing key/value pairs + to be used as tags for any IAM user that is created by this role. max_sts_ttl: |- - (Optional) The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is @@ -1439,6 +1496,10 @@ resources: - (Optional) Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise. + session_tags: |- + (Optional) - A map of strings representing key/value pairs to be set + during assume role creds creation. Valid only when credential_type is set to + assumed_role. user_path: |- - (Optional) The path for the user name. Valid only when credential_type is iam_user. Default is /. @@ -1486,6 +1547,23 @@ resources: name: vault_azure_auth_backend_config title: vault_azure_auth_backend_config resource examples: + - name: example + manifest: |- + { + "backend": "${vault_auth_backend.example.path}", + "client_id": "11111111-2222-3333-4444-555555555555", + "identity_token_audience": "\u003cTOKEN_AUDIENCE\u003e", + "identity_token_ttl": "\u003cTOKEN_TTL\u003e", + "tenant_id": "11111111-2222-3333-4444-555555555555" + } + references: + backend: vault_auth_backend.example.path + dependencies: + vault_auth_backend.example: |- + { + "identity_token_key": "example-key", + "type": "azure" + } - name: example manifest: |- { @@ -1516,6 +1594,13 @@ resources: - (Optional) The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Defaults to AzurePublicCloud. + identity_token_audience: |- + - (Optional) The audience claim value for plugin identity tokens. Requires Vault 1.17+. + Available only for Vault Enterprise + identity_token_ttl: |- + - (Optional) The TTL of generated identity tokens in seconds. + Defaults to 1 hour. Uses duration format strings. + Requires Vault 1.17+. Available only for Vault Enterprise namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. @@ -1633,6 +1718,15 @@ resources: name: vault_azure_secret_backend title: vault_azure_secret_backend resource examples: + - name: azure + manifest: |- + { + "client_id": "11111111-2222-3333-4444-333333333333", + "identity_token_audience": "\u003cTOKEN_AUDIENCE\u003e", + "identity_token_ttl": "\u003cTOKEN_TTL\u003e", + "subscription_id": "11111111-2222-3333-4444-111111111111", + "tenant_id": "11111111-2222-3333-4444-222222222222" + } - name: azure manifest: |- { @@ -1660,6 +1754,15 @@ resources: - (Optional) If set, opts out of mount migration on path updates. See here for more info on Mount Migration environment: (string:"") - The Azure environment. + identity_token_audience: |- + - (Optional) The audience claim value. Requires Vault 1.17+. + Available only for Vault Enterprise + identity_token_key: |- + - (Optional) The key to use for signing identity tokens. Requires Vault 1.17+. + Available only for Vault Enterprise + identity_token_ttl: |- + - (Optional) The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + Available only for Vault Enterprise namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. @@ -1754,6 +1857,42 @@ resources: – (Optional) Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. importStatements: [] + vault_config_ui_custom_message: + subCategory: "" + description: Manages a UI custom message in Vault. + name: vault_config_ui_custom_message + title: vault_config_ui_custom_message resource + examples: + - name: maintenance + manifest: |- + { + "authenticated": true, + "end_time": "2024-02-01T05:00:00.000Z", + "message": "${base64encode(\"Vault will be offline for planned maintenance on February 1st, 2024 from 05:00Z to 08:00Z\")}", + "start_time": "2024-01-01T00:00:00.000Z", + "title": "Upcoming maintenance", + "type": "banner" + } + argumentDocs: + authenticated: |- + - (Optional) The value true if the custom message is displayed after logins are completed or false if they are + displayed during the login in the Vault UI. The default value is true. + end_time: '- (Optional) The time when the custom message expires. If this value is not specified, the custom message never expires.' + href: '- (Required) The URL set in the hyperlink''s href attribute.' + link: '- (Optional) A hyperlink to be included with the message. See below for more details.' + message: '- (Required) The base64-encoded content of the custom message.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + options: '- (Optional) A map of additional options that can be set on the custom message.' + start_time: |- + - (Required) The time when the custom message begins to be active. This value can be set to a future time, but cannot + occur on or after the end_time value. + title: '- (Required) The title of the custom message to create.' + type: '- (Optional) The presentation type of the custom message. Must be one of the following values: banner or modal.' + importStatements: [] vault_consul_secret_backend: subCategory: "" description: Creates a Consul secret backend for Vault. @@ -1863,9 +2002,6 @@ resources: service_identities: |- - (Optional)SEE NOTE Set of Consul service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+. - token_type: |- - - (Optional) Specifies the type of token to create when using this role. Valid values are "client" or "management". - Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. ttl: '- (Optional) Specifies the TTL for this role.' importStatements: [] vault_database_secret_backend_connection: @@ -2495,12 +2631,21 @@ resources: name: vault_gcp_secret_backend title: vault_gcp_secret_backend resource examples: + - name: gcp + manifest: |- + { + "identity_token_audience": "\u003cTOKEN_AUDIENCE\u003e", + "identity_token_key": "example-key", + "identity_token_ttl": 1800, + "service_account_email": "\u003cSERVICE_ACCOUNT_EMAIL\u003e" + } - name: gcp manifest: |- { "credentials": "${file(\"credentials.json\")}" } argumentDocs: + accessor: '- The accessor of the created GCP mount.' credentials: '- (Optional) The GCP service account credentials in JSON format.' default_lease_ttl_seconds: |- - (Optional) The default TTL for credentials @@ -2509,6 +2654,17 @@ resources: disable_remount: |- - (Optional) If set, opts out of mount migration on path updates. See here for more info on Mount Migration + identity_token_audience: |- + - (Optional) The audience claim value for plugin identity + tokens. Must match an allowed audience configured for the target Workload Identity Pool. + Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + identity_token_key: |- + - (Optional) The key to use for signing plugin identity + tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + identity_token_ttl: |- + - (Optional) The TTL of generated tokens. Defaults to + 1 hour. Uses duration format strings. + Requires Vault 1.17+. Available only for Vault Enterprise. local: '- (Optional) Boolean flag that can be explicitly set to true to enforce local mount in HA environment' max_lease_ttl_seconds: |- - (Optional) The maximum TTL that can be requested @@ -2521,6 +2677,9 @@ resources: path: |- - (Optional) The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp. + service_account_email: |- + – (Optional) Service Account to impersonate for plugin workload identity federation. + Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. importStatements: [] vault_gcp_secret_impersonated_account: subCategory: "" @@ -3340,10 +3499,6 @@ resources: exclusive: '- (Optional) Defaults to true.' "false": ', this resource will simply ensure that the member entities specified in the resource are present in the group. When destroying the resource, the resource will ensure that the member entities specified in the resource are removed.' group_id: '- (Required) Group ID to assign member entities to.' - group_name: |- - - The name of the group that are assigned the member entities. - Deprecated: The value for group_name may not always be accurate - use data.vault_identity_group.*.group_name, or vault_identity_group.*.group_name instead. member_entity_ids: '- (Required) List of member entities that belong to the group' namespace: |- - (Optional) The namespace to provision the resource in. @@ -3761,6 +3916,10 @@ resources: argumentDocs: access_token_ttl: '- (Optional) The time-to-live for access tokens obtained by the client.' assignments: '- (Optional) A list of assignment resources associated with the client.' + client_id: '- The Client ID returned by Vault.' + client_secret: |- + - The Client Secret Key returned by Vault. + For public OpenID Clients client_secret is set to an empty string "" client_type: |- - (Optional) The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: confidential, public. Defaults to confidential. @@ -4186,9 +4345,8 @@ resources: - (Optional) The unique name of the auth backend to configure. Defaults to jwt. bound_audiences: |- - - (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims - or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. - Any match is sufficient. + - (Required for roles of type jwt, optional for roles of + type oidc) List of aud claims to match against. Any match is sufficient. bound_claims: |- - (Optional) If set, a map of claims to values to match against. A claim's value must be a string, which may contain one value or multiple @@ -4209,7 +4367,7 @@ resources: Only applicable with "jwt" roles. expiration_leeway: |- - (Optional) The amount of leeway to add to expiration (exp) claims to account for - clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. groups_claim: |- - (Optional) The claim to use to uniquely identify @@ -4226,7 +4384,7 @@ resources: Available only for Vault Enterprise. not_before_leeway: |- - (Optional) The amount of leeway to add to not before (nbf) claims to account for - clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. oidc_scopes: |- - (Optional) If set, a list of OIDC scopes to be used with an OIDC role. @@ -4683,9 +4841,15 @@ resources: "service_account_jwt": "${file(\"/path/to/token\")}" } argumentDocs: + allowed_kubernetes_namespace_selector: |- + - (Optional) A label selector for Kubernetes namespaces + in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + of type LabelSelector. + If set with allowed_kubernetes_namespace, the conditions are ORed. allowed_kubernetes_namespaces: |- - - (Required) The list of Kubernetes namespaces this role - can generate credentials for. If set to * all namespaces are allowed. + - (Optional) The list of Kubernetes namespaces this role + can generate credentials for. If set to * all namespaces are allowed. If set with + allowed_kubernetes_namespace_selector, the conditions are ORed. backend: |- - (Required) The path of the Kubernetes Secrets Engine backend mount to create the role in. @@ -4913,9 +5077,6 @@ resources: insecure_tls: |- - (Optional) Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false. - length: |- - - (Optional) Deprecated use password_policy. The desired length of passwords that Vault generates. - Mutually exclusive with local: |- - (Optional) Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. @@ -4925,7 +5086,7 @@ resources: The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password_policy: on vault-1.11+ + password_policy: '- (Optional) Name of the password policy to use to generate passwords.' path: |- - (Optional) The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap. @@ -4933,6 +5094,9 @@ resources: - (Optional) Timeout, in seconds, for the connection when making requests against the server before returning back an error. schema: '- (Optional) The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.' + skip_static_role_import_rotation: |- + - (Optional) If set to true, static roles will not be rotated during import. + Defaults to false. Requires Vault 1.16 or above. starttls: '- (Optional) Issue a StartTLS command after establishing unencrypted connection.' upndomain: '- (Optional) Enables userPrincipalDomain login with [username]@UPNDomain.' url: |- @@ -5103,6 +5267,9 @@ resources: Available only for Vault Enterprise. role_name: '- (Required) Name of the role.' rotation_period: '- (Required) How often Vault should rotate the password of the user entry.' + skip_import_rotation: |- + - (Optional) Causes vault to skip the initial secret rotation on import. Not applicable to updates. + Requires Vault 1.16 or above. username: '- (Required) The username of the existing LDAP entry to manage password rotation for.' importStatements: [] vault_managed_keys: @@ -5385,10 +5552,12 @@ resources: - name: config manifest: |- { - "mount": "vault_mount.mongo.path", + "mount": "${vault_mount.mongo.path}", "private_key": "privateKey", "public_key": "publicKey" } + references: + mount: vault_mount.mongo.path dependencies: vault_mount.mongo: |- { @@ -5422,8 +5591,12 @@ resources: "name": "tf-test-role", "organization_id": "7cf5a45a9ccf6400e60981b7", "project_id": "5cf5a45a9ccf6400e60981b6", - "project_roles": "GROUP_READ_ONLY", - "roles": "ORG_READ_ONLY", + "project_roles": [ + "GROUP_READ_ONLY" + ], + "roles": [ + "ORG_READ_ONLY" + ], "ttl": "60" } references: @@ -5431,7 +5604,7 @@ resources: dependencies: vault_mongodbatlas_secret_backend.config: |- { - "mount": "vault_mount.mongo.path", + "mount": "${vault_mount.mongo.path}", "private_key": "privateKey", "public_key": "publicKey" } @@ -5458,8 +5631,8 @@ resources: project_id: |- - (Optional) Unique identifier for the project to which the target API Key belongs. Required if organization_id is not set. - project_roles: '- (Optional) Roles assigned when an org API key is assigned to a project API key.' - roles: '- (Required) List of roles that the API Key needs to have.' + project_roles: '- (Optional) Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY.' + roles: '- (Required) List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY.' ttl: '- (Optional) Duration in seconds after which the issued credential should expire.' importStatements: [] vault_mount: @@ -5508,11 +5681,23 @@ resources: argumentDocs: accessor: '- The accessor for this mount.' allowed_managed_keys: '- (Optional) Set of managed key registry entry names that the mount in question is allowed to access' + allowed_response_headers: |- + - (Optional) List of headers to allow, allowing a plugin to include + them in the response. audit_non_hmac_request_keys: '- (Optional) Specifies the list of keys that will not be HMAC''d by audit devices in the request data object.' audit_non_hmac_response_keys: '- (Optional) Specifies the list of keys that will not be HMAC''d by audit devices in the response data object.' default_lease_ttl_seconds: '- (Optional) Default lease duration for tokens and secrets in seconds' + delegated_auth_accessors: |- + - (Optional) List of allowed authentication mount accessors the + backend can request delegated authentication for. description: '- (Optional) Human-friendly description of the mount' external_entropy_access: '- (Optional) Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault''s external entropy source' + identity_token_key: |- + - (Optional) The key to use for signing plugin workload identity tokens. If + not provided, this will default to Vault's OIDC default key. + listing_visibility: |- + - (Optional) Specifies whether to show this mount in the UI-specific + listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. local: '- (Optional) Boolean flag that can be explicitly set to true to enforce local mount in HA environment' max_lease_ttl_seconds: '- (Optional) Maximum possible lease duration for tokens and secrets in seconds' namespace: |- @@ -5521,7 +5706,14 @@ resources: The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. options: '- (Optional) Specifies mount type specific options that are passed to the backend' + passthrough_request_headers: |- + - (Optional) List of headers to allow and pass from the request to + the plugin. path: '- (Required) Where the secret backend will be mounted' + plugin_version: |- + - (Optional) Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + If unspecified, the server will select any matching unversioned plugin that may have been + registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. seal_wrap: '- (Optional) Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal''s encryption capability' type: '- (Required) Type of the backend, such as "aws"' importStatements: [] @@ -5807,6 +5999,137 @@ resources: Available only for Vault Enterprise. pem_bundle: '- (Required) The key and certificate PEM bundle' importStatements: [] + vault_pki_secret_backend_config_cluster: + subCategory: "" + description: Sets the cluster configuration on an PKI Secret Backend for Vault. + name: vault_pki_secret_backend_config_cluster + title: vault_pki_secret_backend_config_cluster resource + examples: + - name: example + manifest: |- + { + "aia_path": "http://127.0.0.1:8200/v1/pki-root", + "backend": "${vault_mount.root.path}", + "path": "http://127.0.0.1:8200/v1/pki-root" + } + references: + backend: vault_mount.root.path + dependencies: + vault_mount.root: |- + { + "default_lease_ttl_seconds": 8640000, + "description": "root PKI", + "max_lease_ttl_seconds": 8640000, + "path": "pki-root", + "type": "pki" + } + argumentDocs: + aia_path: '- (Required) Specifies the path to this performance replication cluster''s AIA distribution point.' + backend: '- (Required) The path the PKI secret backend is mounted at, with no leading or trailing /s.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + path: '- (Required) Specifies the path to this performance replication cluster''s API mount path.' + importStatements: [] + vault_pki_secret_backend_config_est: + subCategory: "" + description: Sets the EST configuration on a PKI Secret Backend for Vault. + name: vault_pki_secret_backend_config_est + title: vault_pki_secret_backend_config_est resource + examples: + - name: example + manifest: |- + { + "audit_fields": [ + "csr", + "common_name", + "alt_names", + "ip_sans", + "uri_sans", + "other_sans", + "signature_bits", + "exclude_cn_from_sans", + "ou", + "organization", + "country", + "locality", + "province", + "street_address", + "postal_code", + "serial_number", + "use_pss", + "key_type", + "key_bits", + "add_basic_constraints" + ], + "authenticators": [ + { + "cert": { + "accessor": "test", + "cert_role": "cert-auth-role" + }, + "userpass": { + "accessor": "test2" + } + } + ], + "backend": "${vault_mount.pki.path}", + "default_mount": true, + "default_path_policy": "${format(\"role:%s\", vault_pki_secret_backend_role.est_role.name)}", + "enable_sentinel_parsing": true, + "enabled": true, + "label_to_path_policy": { + "test-label": "sign-verbatim", + "test-label-2": "${format(\"role:%s\", vault_pki_secret_backend_role.est_role_2.name)}" + } + } + references: + backend: vault_mount.pki.path + dependencies: + vault_mount.pki: |- + { + "description": "PKI secret engine mount", + "path": "pki-root", + "type": "pki" + } + vault_pki_secret_backend_role.est_role: |- + { + "backend": "${vault_mount.pki.path}", + "key_bits": "256", + "key_type": "ec", + "name": "est-role", + "ttl": 3600 + } + vault_pki_secret_backend_role.est_role_2: |- + { + "backend": "${vault_mount.pki.path}", + "key_bits": "256", + "key_type": "ec", + "name": "est-role-2", + "ttl": 3600 + } + argumentDocs: + audit_fields: '- (Optional) Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.' + authenticators: '- (Optional) Lists the mount accessors EST should delegate authentication requests towards (see below for nested schema).' + backend: |- + - (Required) The path to the PKI secret backend to + read the EST configuration from, with no leading or trailing /s. + cert: '- "The accessor (required) and cert_role (optional) properties for cert auth backends".' + default_mount: '- (Optional) If set, this mount will register the default .well-known/est URL path. Only a single mount can enable this across a Vault cluster.' + default_path_policy: '- (Optional) Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:.' + enable_sentinel_parsing: '- (Optional) If set, parse out fields from the provided CSR making them available for Sentinel policies.' + enabled: '- (Optional) Specifies whether EST is enabled.' + label_to_path_policy: '- (Optional) Configures a pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:. Labels must be unique across Vault cluster, and will register .well-known/est/ URL paths.' + last_updated: '- A read-only timestamp representing the last time the configuration was updated.' + namespace: |- + - (Optional) The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + userpass: '- "The accessor (required) property for user pass auth backends".' + importStatements: [] vault_pki_secret_backend_config_issuers: subCategory: "" description: Allows setting the value of the default issuer. @@ -5889,6 +6212,7 @@ resources: argumentDocs: backend: '- (Required) The path the PKI secret backend is mounted at, with no leading or trailing /s.' crl_distribution_points: '- (Optional) Specifies the URL values for the CRL Distribution Points field.' + enable_templating: '- (Optional) Specifies that templating of AIA fields is allowed.' issuing_certificates: '- (Optional) Specifies the URL values for the Issuing Certificate field.' namespace: |- - (Optional) The namespace to provision the resource in. @@ -6405,7 +6729,6 @@ resources: postal_code: '- (Optional) The postal code' private_key_format: '- (Optional) The private key format' province: '- (Optional) The province' - serial: '- Deprecated, use serial_number instead.' serial_number: '- The certificate''s serial number, hex formatted.' street_address: '- (Optional) The street address' ttl: '- (Optional) Time to live' @@ -6461,11 +6784,85 @@ resources: Available only for Vault Enterprise. other_sans: '- (Optional) List of other SANs' renew_pending: '- true if the current time (during refresh) is after the start of the early renewal window declared by min_seconds_remaining, and false otherwise; if auto_renew is set to true then the provider will plan to replace the certificate once renewal is pending.' - serial: '- Use serial_number instead.' serial_number: '- The certificate''s serial number, hex formatted.' ttl: '- (Optional) Time to live' uri_sans: '- (Optional) List of alternative URIs' importStatements: [] + vault_plugin: + subCategory: "" + description: Manage external plugins registered in the plugin catalog. + name: vault_plugin + title: vault_plugin resource + examples: + - name: jwt + manifest: |- + { + "command": "vault-plugin-auth-jwt", + "env": [ + "HTTP_PROXY=http://proxy.example.com:8080" + ], + "name": "jwt", + "sha256": "6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc", + "type": "auth", + "version": "v0.17.0" + } + dependencies: + vault_auth_backend.jwt_auth: |- + { + "type": "${vault_plugin.jwt.name}" + } + argumentDocs: + args: '- (Optional) List of additional args to pass to the plugin.' + command: '- (Required) Command to execute the plugin, relative to the server''s configured plugin_directory.' + env: '- (Optional) List of additional environment variables to run the plugin with in KEY=VALUE form.' + name: '- (Required) Name of the plugin.' + oci_image: |- + - (Optional) Specifies OCI image to run. If specified, setting + command, args, and env will update the container's entrypoint, args, and + environment variables (append-only) respectively. + runtime: '- (Optional) Vault plugin runtime to use if oci_image is specified.' + sha256: '- (Required) SHA256 sum of the plugin binary.' + type: '- (Required) Type of plugin; one of "auth", "secret", or "database".' + version: '- (Optional) Semantic version of the plugin.' + importStatements: [] + vault_plugin_pinned_version: + subCategory: "" + description: Manage pinned plugin version registered in the plugin catalog. + name: vault_plugin_pinned_version + title: vault_plugin_pinned_version resource + examples: + - name: jwt_pin + manifest: |- + { + "name": "${vault_plugin.jwt.name}", + "type": "${vault_plugin.jwt.type}", + "version": "${vault_plugin.jwt.version}" + } + references: + name: vault_plugin.jwt.name + type: vault_plugin.jwt.type + version: vault_plugin.jwt.version + dependencies: + vault_auth_backend.jwt_auth: |- + { + "type": "${vault_plugin_pinned_version.jwt_pin.name}" + } + vault_plugin.jwt: |- + { + "command": "vault-plugin-auth-jwt", + "env": [ + "HTTP_PROXY=http://proxy.example.com:8080" + ], + "name": "jwt", + "sha256": "6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc", + "type": "auth", + "version": "v0.17.0" + } + argumentDocs: + name: '- (Required) Name of the plugin.' + type: '- (Required) Type of plugin; one of "auth", "secret", or "database".' + version: '- (Required) Semantic version of the plugin to pin.' + importStatements: [] vault_policy: subCategory: "" description: Writes arbitrary policies for Vault @@ -6501,6 +6898,7 @@ resources: "path": "" } argumentDocs: + inheritable: '- (Optional) If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.' max_leases: |- - (Required) The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. @@ -6536,6 +6934,7 @@ resources: block_interval: |- - (Optional) If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. + inheritable: '- (Optional) If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.' interval: '- (Optional) The duration in seconds to enforce rate limiting for.' name: '- (Required) Name of the rate limit quota' namespace: |- @@ -7029,9 +7428,16 @@ resources: The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. secret_name: '- (Required) Specifies the name of the secret to synchronize.' - sync_status: '- Specifies the status of the association (for eg. SYNCED).' + subkeys: '- A list of subkeys for the associated secret.' + sync_status: |- + - A map of sync statuses for each subkey of the associated secret + (for ex. {kv_624bea/aws-token/dev: "SYNCED", kv_624bea/aws-token/prod: "SYNCED"}). type: '- (Required) Specifies the destination type.' - updated_at: '- Duration string specifying when the secret was last updated.' + updated_at: |- + - A map of duration strings specifying when each subkey of the associated + secret was last updated. + (for ex. + {kv_624bea/aws-token/dev: "2024-03-21T12:42:02.558533-07:00", kv_624bea/aws-token/prod: "2024-03-21T12:42:02.558533-07:00"}). importStatements: [] vault_secrets_sync_aws_destination: subCategory: "" @@ -7046,8 +7452,10 @@ resources: "custom_tags": { "foo": "bar" }, + "external_id": "external-id", "name": "aws-dest", "region": "us-east-1", + "role_arn": "role-arn", "secret_access_key": "${var.secret_access_key}", "secret_name_template": "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}" } @@ -7060,6 +7468,15 @@ resources: Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable. custom_tags: '- (Optional) Custom tags to set on the secret managed at the destination.' + external_id: |- + - (Optional) Optional extra protection that must match the trust policy granting access to the + AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. + The field is mutable with no special condition, but users must be careful that the new value fits with the trust + relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access + denied errors. Ignored if the role_arn field is empty. + granularity: |- + - (Optional) Determines what level of information is synced as a distinct resource + at the destination. Supports secret-path and secret-key. name: '- (Required) Unique name of the AWS destination.' namespace: |- - (Optional) The namespace to provision the resource in. @@ -7069,6 +7486,12 @@ resources: - (Optional) Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable. + role_arn: |- + - (Optional) Specifies a role to assume when connecting to AWS. When assuming a role, + Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must + exist for Vault to be able to assume this role. The role can be in a different account. + The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. + It is possible to provide both an access key pair and a role to assume. secret_access_key: |- - (Optional) Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment @@ -7113,6 +7536,9 @@ resources: variable. cloud: '- (Optional) Specifies a cloud for the client. The default is Azure Public Cloud.' custom_tags: '- (Optional) Custom tags to set on the secret managed at the destination.' + granularity: |- + - (Optional) Determines what level of information is synced as a distinct resource + at the destination. Supports secret-path and secret-key. key_vault_uri: |- - (Optional) URI of an existing Azure Key Vault instance. Can be omitted and directly provided to Vault using the KEY_VAULT_URI environment @@ -7165,6 +7591,7 @@ resources: "foo": "bar" }, "name": "gcp-dest", + "project_id": "gcp-project-id", "secret_name_template": "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}" } argumentDocs: @@ -7173,11 +7600,19 @@ resources: Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable. custom_tags: '- (Optional) Custom tags to set on the secret managed at the destination.' + granularity: |- + - (Optional) Determines what level of information is synced as a distinct resource + at the destination. Supports secret-path and secret-key. name: '- (Required) Unique name of the GCP destination.' namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. + project_id: |- + - (Optional) The target project to manage secrets in. If set, + overrides the project ID derived from the service account JSON credentials or application + default credentials. The service account must be authorized + to perform Secret Manager actions in the target project. secret_name_template: |- - (Optional) Template describing how to generate external secret names. Supports a subset of the Go Template syntax. @@ -7206,6 +7641,16 @@ resources: - (Optional) Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable. + app_name: |- + - (Optional) The user-defined name of the GitHub App configuration. This is a reference to the name used + on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. + Takes precedence over the access_token field. + granularity: |- + - (Optional) Determines what level of information is synced as a distinct resource + at the destination. Supports secret-path and secret-key. + installation_id: |- + -(Optional) The ID of the installation generated by GitHub when the app referenced by the app_name + was installed in the user’s GitHub account. Can be modified. Necessary if the app_name field is also provided. name: '- (Required) Unique name of the GitHub destination.' namespace: |- - (Optional) The namespace to provision the resource in. @@ -7224,6 +7669,30 @@ resources: Supports a subset of the Go Template syntax. type: '- The type of the secrets destination (gh).' importStatements: [] + vault_secrets_sync_github_apps: + subCategory: "" + description: Creates a GitHub App to synchronize secrets in Vault + name: vault_secrets_sync_github_apps + title: vault_secrets_sync_github_apps resource + examples: + - name: github-apps + manifest: |- + { + "app_id": "${var.app_id}", + "name": "gh-apps", + "private_key": "${file(var.privatekey_file)}" + } + references: + app_id: var.app_id + argumentDocs: + app_id: '- (Required) The GitHub application ID.' + name: '- (Required) The user-defined name of the GitHub App configuration.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + private_key: '- (Required) The content of a PEM formatted private key generated on GitHub for the app.' + importStatements: [] vault_secrets_sync_vercel_destination: subCategory: "" description: Creates a GitHub destination to synchronize secrets in Vault @@ -7253,6 +7722,9 @@ resources: deployment_environments: |- - (Required) Deployment environments where the environment variables are available. Accepts development, preview and production. + granularity: |- + - (Optional) Determines what level of information is synced as a distinct resource + at the destination. Supports secret-path and secret-key. name: '- (Required) Unique name of the GitHub destination.' namespace: |- - (Optional) The namespace to provision the resource in. @@ -7286,6 +7758,8 @@ resources: argumentDocs: backend: '- (Optional) The path where the SSH secret backend is mounted. Defaults to ''ssh''' generate_signing_key: '- (Optional) Whether Vault should generate the signing key pair internally. Defaults to true' + key_bits: '- (Optional) Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true.' + key_type: '- (Optional) Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true.' namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. @@ -7349,10 +7823,6 @@ resources: - (Optional) Set of configuration blocks to define allowed user key configuration, like key type and their lengths. Can be specified multiple times. See - allowed_user_key_lengths: |- - - (Optional) Specifies a map of ssh key types and their expected sizes which - are allowed to be signed by the CA type. - Deprecated: use allowed_user_key_config instead allowed_users: '- (Optional) Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.' allowed_users_template: '- (Optional) Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.' backend: '- (Required) The path where the SSH secret backend is mounted.' @@ -7399,6 +7869,10 @@ resources: "token": "V0idfhi2iksSDU234ucdbi2nidsi..." } argumentDocs: + address: |- + - (Optional) The address of the Terraform Cloud server, if using + Terraform Enterprise, provided as "protocol://host:port". The default is + https://app.terraform.io for Terraform Cloud. backend: '- (Optional) The unique location this backend should be mounted at. Must not begin or end with a /. Defaults to terraform.' default_lease_ttl_seconds: '- (Optional) The default TTL for credentials issued by this backend.' description: '- (Optional) A human-friendly description for this backend.' @@ -7812,7 +8286,6 @@ resources: argumentDocs: aes128-gcm96: ', aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key''s metadata.' allow_plaintext_backup: '- (Optional) Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.' - auto_rotate_interval: '- Replaced by auto_rotate_period.' auto_rotate_period: |- - (Optional) Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. diff --git a/config/provider.go b/config/provider.go index b381062a..b0d73075 100644 --- a/config/provider.go +++ b/config/provider.go @@ -6,9 +6,21 @@ package config import ( // Note(turkenh): we are importing this to embed provider schema document + "context" _ "embed" - ujconfig "github.com/upbound/upjet/pkg/config" + "github.com/pkg/errors" + + ujconfig "github.com/crossplane/upjet/pkg/config" + "github.com/crossplane/upjet/pkg/registry/reference" + "github.com/crossplane/upjet/pkg/schema/traverser" + conversiontfjson "github.com/crossplane/upjet/pkg/types/conversion/tfjson" + + tfvaultschema "github.com/hashicorp/terraform-provider-vault/schema" + tfvault "github.com/hashicorp/terraform-provider-vault/vault" + + tfjson "github.com/hashicorp/terraform-json" + tfschema "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/upbound/provider-vault/config/vault" ) @@ -24,14 +36,56 @@ var providerSchema string //go:embed provider-metadata.yaml var providerMetadata string +// workaround for the no-fork release: We would like to +// keep the types in the generated CRDs intact +// (prevent number->int type replacements). +func getProviderSchema(s string) (*tfschema.Provider, error) { + ps := tfjson.ProviderSchemas{} + if err := ps.UnmarshalJSON([]byte(s)); err != nil { + panic(err) + } + if len(ps.Schemas) != 1 { + return nil, errors.Errorf("there should exactly be 1 provider schema but there are %d", len(ps.Schemas)) + } + var rs map[string]*tfjson.Schema + for _, v := range ps.Schemas { + rs = v.ResourceSchemas + break + } + return &tfschema.Provider{ + ResourcesMap: conversiontfjson.GetV2ResourceMap(rs), + }, nil +} + // GetProvider returns provider configuration -func GetProvider() *ujconfig.Provider { +func GetProvider(_ context.Context, generationProvider bool) (*ujconfig.Provider, error) { + sdkProvider := tfvaultschema.NewProvider(tfvault.Provider()).SchemaProvider() + + if generationProvider { + p, err := getProviderSchema(providerSchema) + if err != nil { + return nil, errors.Wrap(err, "cannot read the Terraform SDK provider from the JSON schema for code generation") + } + if err := traverser.TFResourceSchema(sdkProvider.ResourcesMap).Traverse(traverser.NewMaxItemsSync(p.ResourcesMap)); err != nil { + return nil, errors.Wrap(err, "cannot sync the MaxItems constraints between the Go schema and the JSON schema") + } + // use the JSON schema to temporarily prevent float64->int64 + // conversions in the CRD APIs. + // We would like to convert to int64s with the next major release of + // the provider. + sdkProvider = p + } + pc := ujconfig.NewProvider([]byte(providerSchema), resourcePrefix, modulePath, []byte(providerMetadata), - ujconfig.WithIncludeList(ResourcesWithExternalNameConfig()), - ujconfig.WithFeaturesPackage("internal/features"), ujconfig.WithDefaultResourceOptions( ExternalNameConfigurations(), - )) + ), + ujconfig.WithIncludeList([]string{}), + ujconfig.WithTerraformPluginSDKIncludeList(ResourcesWithExternalNameConfig()), + ujconfig.WithReferenceInjectors([]ujconfig.ReferenceInjector{reference.NewInjector(modulePath)}), + ujconfig.WithFeaturesPackage("internal/features"), + ujconfig.WithTerraformProvider(sdkProvider), + ) for _, configure := range []func(provider *ujconfig.Provider){ // add custom config functions @@ -41,7 +95,7 @@ func GetProvider() *ujconfig.Provider { } pc.ConfigureResources() - return pc + return pc, nil } // ResourcesWithExternalNameConfig returns the list of resources that have external diff --git a/config/schema.json b/config/schema.json index 23b07562..b1cb8b6a 100644 --- a/config/schema.json +++ b/config/schema.json @@ -1 +1 @@ -{"format_version":"1.0","provider_schemas":{"registry.terraform.io/hashicorp/vault":{"provider":{"version":0,"block":{"attributes":{"add_address_to_env":{"type":"string","description":"If true, adds the value of the `address` argument to the Terraform process environment.","description_kind":"plain","optional":true},"address":{"type":"string","description":"URL of the root of the target Vault server.","description_kind":"plain","required":true},"ca_cert_dir":{"type":"string","description":"Path to directory containing CA certificate files to validate the server's certificate.","description_kind":"plain","optional":true},"ca_cert_file":{"type":"string","description":"Path to a CA certificate file to validate the server's certificate.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum TTL for secret leases requested by this provider.","description_kind":"plain","optional":true},"max_retries":{"type":"number","description":"Maximum number of retries when a 5xx error code is encountered.","description_kind":"plain","optional":true},"max_retries_ccc":{"type":"number","description":"Maximum number of retries for Client Controlled Consistency related operations","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The namespace to use. Available only for Vault Enterprise.","description_kind":"plain","optional":true},"set_namespace_from_token":{"type":"bool","description":"In the case where the Vault token is for a specific namespace and the provider namespace is not configured, use the token namespace as the root namespace for all resources.","description_kind":"plain","optional":true},"skip_child_token":{"type":"bool","description":"Set this to true to prevent the creation of ephemeral child token used by this provider.","description_kind":"plain","optional":true},"skip_get_vault_version":{"type":"bool","description":"Skip the dynamic fetching of the Vault server version.","description_kind":"plain","optional":true},"skip_tls_verify":{"type":"bool","description":"Set this to true only if the target Vault server is an insecure development instance.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"Name to use as the SNI host when connecting via TLS.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Token to use to authenticate to Vault.","description_kind":"plain","optional":true},"token_name":{"type":"string","description":"Token name to use for creating the Vault child token.","description_kind":"plain","optional":true},"vault_version_override":{"type":"string","description":"Override the Vault server version, which is normally determined dynamically from the target Vault server","description_kind":"plain","optional":true}},"block_types":{"auth_login":{"nesting_mode":"list","block":{"attributes":{"method":{"type":"string","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"parameters":{"type":["map","string"],"description_kind":"plain","optional":true,"sensitive":true},"path":{"type":"string","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault with an existing auth method using auth/\u003cmount\u003e/login","description_kind":"plain"},"max_items":1},"auth_login_aws":{"nesting_mode":"list","block":{"attributes":{"aws_access_key_id":{"type":"string","description":"The AWS access key ID.","description_kind":"plain","optional":true},"aws_iam_endpoint":{"type":"string","description":"The IAM endpoint URL.","description_kind":"plain","optional":true},"aws_profile":{"type":"string","description":"The name of the AWS profile.","description_kind":"plain","optional":true},"aws_region":{"type":"string","description":"The AWS region.","description_kind":"plain","optional":true},"aws_role_arn":{"type":"string","description":"The ARN of the AWS Role to assume.Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_role_session_name":{"type":"string","description":"Specifies the name to attach to the AWS role session. Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"The AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"The AWS session token.","description_kind":"plain","optional":true},"aws_shared_credentials_file":{"type":"string","description":"Path to the AWS shared credentials file.","description_kind":"plain","optional":true},"aws_sts_endpoint":{"type":"string","description":"The STS endpoint URL.","description_kind":"plain","optional":true},"aws_web_identity_token_file":{"type":"string","description":"Path to the file containing an OAuth 2.0 access token or OpenID Connect ID token.","description_kind":"plain","optional":true},"header_value":{"type":"string","description":"The Vault header value to include in the STS signing request.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"The Vault role to use when logging into Vault.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the AWS method","description_kind":"plain"},"max_items":1},"auth_login_azure":{"nesting_mode":"list","block":{"attributes":{"client_id":{"type":"string","description":"The identity's client ID.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token. If not specified on will be created automatically","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"resource_group_name":{"type":"string","description":"The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"scope":{"type":"string","description":"The scopes to include in the token request.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"Provides the tenant ID to use in a multi-tenant authentication scenario.","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"vm_name":{"type":"string","description":"The virtual machine name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true},"vmss_name":{"type":"string","description":"The virtual machine scale set name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true}},"description":"Login to vault using the azure method","description_kind":"plain"},"max_items":1},"auth_login_cert":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","required":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the certificate's role","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the cert method","description_kind":"plain"},"max_items":1},"auth_login_gcp":{"nesting_mode":"list","block":{"attributes":{"credentials":{"type":"string","description":"Path to the Google Cloud credentials file.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"service_account":{"type":"string","description":"IAM service account.","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the gcp method","description_kind":"plain"},"max_items":1},"auth_login_jwt":{"nesting_mode":"list","block":{"attributes":{"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the jwt method","description_kind":"plain"},"max_items":1},"auth_login_kerberos":{"nesting_mode":"list","block":{"attributes":{"disable_fast_negotiation":{"type":"bool","description":"Disable the Kerberos FAST negotiation.","description_kind":"plain","optional":true},"keytab_path":{"type":"string","description":"The Kerberos keytab file containing the entry of the login entity.","description_kind":"plain","optional":true},"krb5conf_path":{"type":"string","description":"A valid Kerberos configuration file e.g. /etc/krb5.conf.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"realm":{"type":"string","description":"The Kerberos server's authoritative authentication domain","description_kind":"plain","optional":true},"remove_instance_name":{"type":"bool","description":"Strip the host from the username found in the keytab.","description_kind":"plain","optional":true},"service":{"type":"string","description":"The service principle name.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to login into Kerberos with.","description_kind":"plain","optional":true}},"description":"Login to vault using the kerberos method","description_kind":"plain"},"max_items":1},"auth_login_oci":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Authentication type to use when getting OCI credentials.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the OCI method","description_kind":"plain"},"max_items":1},"auth_login_oidc":{"nesting_mode":"list","block":{"attributes":{"callback_address":{"type":"string","description":"The callback address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"callback_listener_address":{"type":"string","description":"The callback listener's address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the oidc method","description_kind":"plain"},"max_items":1},"auth_login_radius":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"password":{"type":"string","description":"The Radius password for username.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"The Radius username.","description_kind":"plain","required":true}},"description":"Login to vault using the radius method","description_kind":"plain"},"max_items":1},"auth_login_token_file":{"nesting_mode":"list","block":{"attributes":{"filename":{"type":"string","description":"The name of a file containing a single line that is a valid Vault token","description_kind":"plain","required":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using ","description_kind":"plain"},"max_items":1},"auth_login_userpass":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"password":{"type":"string","description":"Login with password","description_kind":"plain","optional":true},"password_file":{"type":"string","description":"Login with password from a file","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"Login with username","description_kind":"plain","required":true}},"description":"Login to vault using the userpass method","description_kind":"plain"},"max_items":1},"client_auth":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","optional":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","optional":true}},"description":"Client authentication credentials.","description_kind":"plain","deprecated":true},"max_items":1},"headers":{"nesting_mode":"list","block":{"attributes":{"name":{"type":"string","description":"The header name","description_kind":"plain","required":true},"value":{"type":"string","description":"The header value","description_kind":"plain","required":true}},"description":"The headers to send with each Vault request.","description_kind":"plain"}}},"description_kind":"plain"}},"resource_schemas":{"vault_ad_secret_backend":{"version":1,"block":{"attributes":{"anonymous_group_search":{"type":"bool","description":"Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for a backend, for example, the path given in \"$ vault auth enable -path=my-ad ad\".","description_kind":"plain","optional":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description":"If true, case sensitivity will be used when comparing usernames and groups for matching policies.","description_kind":"plain","optional":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"deny_null_bind":{"type":"bool","description":"Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description":"Use anonymous bind to discover the bind DN of a user.","description_kind":"plain","optional":true},"formatter":{"type":"string","description":"Text to insert the password into, ex. \"customPrefix{{PASSWORD}}customSuffix\".","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by \u003cgroupfilter\u003e in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn","description_kind":"plain","optional":true},"groupdn":{"type":"string","description":"LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)","description_kind":"plain","optional":true},"groupfilter":{"type":"string","description":"Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"last_rotation_tolerance":{"type":"number","description":"The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.","description_kind":"plain","optional":true,"computed":true},"length":{"type":"number","description":"The desired length of passwords that Vault generates.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"In seconds, the maximum password time-to-live.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description":"Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true},"use_pre111_group_cn_behavior":{"type":"bool","description":"In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.","description_kind":"plain","optional":true,"computed":true},"use_token_groups":{"type":"bool","description":"If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.","description_kind":"plain","optional":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain","deprecated":true}},"vault_ad_secret_library":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time, in seconds, a check-out last with renewal before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set. These service accounts must already exist in Active Directory.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The amount of time, in seconds, a single check-out lasts before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain","deprecated":true}},"vault_ad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this service account's password.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_last_set":{"type":"string","description":"Last time Vault set this service account's password.","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The username/logon name for the service account with which this role will be associated.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true}},"description_kind":"plain","deprecated":true}},"vault_alicloud_auth_backend_role":{"version":0,"block":{"attributes":{"arn":{"type":"string","description":"The role's arn.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Auth backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role. Must correspond with the name of the role reflected in the arn.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor for the token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"How long the token is valid for.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The timestamp the lease started on, as determined by the machine running Terraform.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with the token.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies set on the token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"Whether the token is renewable or not.","description_kind":"plain","computed":true},"role_id":{"type":"string","description":"The RoleID to log in with.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to log in with.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bind_secret_id":{"type":"bool","description":"Whether or not to require secret_id to be present when logging in using this AppRole.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role. Autogenerated if not set.","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id_bound_cidrs":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the AppRole.","description_kind":"plain","optional":true},"secret_id_num_uses":{"type":"number","description":"Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses.","description_kind":"plain","optional":true},"secret_id_ttl":{"type":"number","description":"Number of seconds a SecretID remains valid for.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role_secret_id":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The unique ID used to access this SecretID.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cidr_list":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the SecretID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to be managed. If not specified, Vault auto-generates one.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"with_wrapped_accessor":{"type":"bool","description":"Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping.","description_kind":"plain","optional":true},"wrapping_accessor":{"type":"string","description":"The wrapped SecretID accessor.","description_kind":"plain","computed":true},"wrapping_token":{"type":"string","description":"The wrapped SecretID token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL duration of the wrapped SecretID.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_audit":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"Human-friendly description of the audit device.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Configuration options to pass to the audit device itself.","description_kind":"plain","required":true},"path":{"type":"string","description":"Path in which to enable the audit device.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the audit device, such as 'file'.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_audit_request_header":{"version":0,"block":{"attributes":{"hmac":{"type":"bool","description":"Whether this header's value should be HMAC'd in the audit logs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the request header to audit.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend. This defaults to the type.","description_kind":"plain","optional":true,"computed":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Name of the auth backend","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_auth_backend_cert":{"version":0,"block":{"attributes":{"aws_public_cert":{"type":"string","description":"Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cert_name":{"type":"string","description":"Name of the certificate to configure.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of document that can be verified using the certificate. Must be either \"pkcs7\" or \"identity\".","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_client":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS Access key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS EC2 API calls.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS IAM API calls.","description_kind":"plain","optional":true},"iam_server_id_header_value":{"type":"string","description":"The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS Secret key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS STS API calls.","description_kind":"plain","optional":true},"sts_region":{"type":"string","description":"Region to override the default region for making AWS STS API calls.","description_kind":"plain","optional":true},"use_sts_region_from_client":{"type":"bool","description":"If set, will override sts_region and use the region from the client request's header","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_config_identity":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_alias":{"type":"string","description":"Configures how to generate the identity alias when using the ec2 auth method.","description_kind":"plain","optional":true},"ec2_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"iam_alias":{"type":"string","description":"How to generate the identity alias when using the iam auth method.","description_kind":"plain","optional":true},"iam_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_identity_whitelist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the identiy whitelist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor returned from Vault for this token.","description_kind":"plain","computed":true},"auth_type":{"type":"string","description":"The auth method used to generate this token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"AWS Auth Backend to read the token from.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token returned by Vault.","description_kind":"plain","computed":true,"sensitive":true},"iam_http_request_method":{"type":"string","description":"The HTTP method used in the signed request.","description_kind":"plain","optional":true},"iam_request_body":{"type":"string","description":"The Base64-encoded body of the signed request.","description_kind":"plain","optional":true},"iam_request_headers":{"type":"string","description":"The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers.","description_kind":"plain","optional":true},"iam_request_url":{"type":"string","description":"The Base64-encoded HTTP URL used in the signed request.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity":{"type":"string","description":"Base64-encoded EC2 instance identity document to authenticate with.","description_kind":"plain","optional":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"The metadata reported by the Vault server.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"nonce":{"type":"string","description":"The nonce to be used for subsequent login requests.","description_kind":"plain","optional":true,"computed":true},"pkcs7":{"type":"string","description":"PKCS7 signature of the identity document to authenticate with, with all newline characters removed.","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"The policies assigned to this token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"role":{"type":"string","description":"AWS Auth Role to read the token from.","description_kind":"plain","optional":true,"computed":true},"signature":{"type":"string","description":"Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"When true, allows migration of the underlying instance where the client resides. Use with caution.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"The auth type permitted for this role.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_account_ids":{"type":["set","string"],"description":"Only EC2 instances with this account ID in their identity document will be permitted to log in.","description_kind":"plain","optional":true},"bound_ami_ids":{"type":["set","string"],"description":"Only EC2 instances using this AMI ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_ec2_instance_ids":{"type":["set","string"],"description":"Only EC2 instances that match this instance ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_instance_profile_arns":{"type":["set","string"],"description":"Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_principal_arns":{"type":["set","string"],"description":"The IAM principal that must be authenticated using the iam auth method.","description_kind":"plain","optional":true},"bound_iam_role_arns":{"type":["set","string"],"description":"Only EC2 instances that match this IAM role ARN will be permitted to log in.","description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description":"Only EC2 instances in this region will be permitted to log in.","description_kind":"plain","optional":true},"bound_subnet_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this subnet ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_vpc_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this VPC ID will be permitted to log in.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"When true, only allows a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inferred_aws_region":{"type":"string","description":"The region to search for the inferred entities in.","description_kind":"plain","optional":true},"inferred_entity_type":{"type":"string","description":"The type of inferencing Vault should do.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resolve_aws_unique_ids":{"type":"bool","description":"Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_id":{"type":"string","description":"The Vault generated role ID.","description_kind":"plain","computed":true},"role_tag":{"type":"string","description":"The key of the tag on EC2 instance to use for role tags.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role_tag":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"Allows migration of the underlying instance where the client resides.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"AWS auth backend to read tags from.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"Only allow a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"instance_id":{"type":"string","description":"Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of tokens issued using this role.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be associated with the tag.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"tag_key":{"type":"string","description_kind":"plain","computed":true},"tag_value":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_roletag_blacklist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","required":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the roletag blacklist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_sts_role":{"version":0,"block":{"attributes":{"account_id":{"type":"string","description":"AWS account ID to be associated with STS role.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"sts_role":{"type":"string","description":"AWS ARN for STS role to be assumed when interacting with the account specified.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_secret_backend":{"version":1,"block":{"attributes":{"access_key":{"type":"string","description":"The AWS Access Key ID to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"Specifies a custom HTTP IAM endpoint to use.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"region":{"type":"string","description":"The AWS region to make API calls against. Defaults to us-east-1.","description_kind":"plain","optional":true,"computed":true},"role_arn":{"type":"string","description":"Role ARN to assume for plugin identity token federation.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"The AWS Secret Access Key to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"Specifies a custom HTTP STS endpoint to use.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the AWS Secret Backend the role belongs to.","description_kind":"plain","required":true},"credential_type":{"type":"string","description":"Role credential type.","description_kind":"plain","required":true},"default_sts_ttl":{"type":"number","description":"The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"iam_groups":{"type":["set","string"],"description":"A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_sts_ttl":{"type":"number","description":"The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permissions_boundary_arn":{"type":"string","description":"The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.","description_kind":"plain","optional":true},"policy_arns":{"type":["set","string"],"description":"ARN for an existing IAM policy the role should use.","description_kind":"plain","optional":true},"policy_document":{"type":"string","description":"IAM policy the role should use in JSON format.","description_kind":"plain","optional":true},"role_arns":{"type":["set","string"],"description":"ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'","description_kind":"plain","optional":true},"user_path":{"type":"string","description":"The path for the user name. Valid only when credential_type is iam_user. Default is /","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path where the AWS secrets backend is mounted.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","required":true},"username":{"type":"string","description":"The username of the existing AWS IAM user to manage password rotation for.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_azure_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resource":{"type":"string","description":"The configured URL for the application registered in Azure Active Directory.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_group_ids":{"type":["list","string"],"description":"The list of group ids that login is restricted to.","description_kind":"plain","optional":true},"bound_locations":{"type":["list","string"],"description":"The list of locations that login is restricted to.","description_kind":"plain","optional":true},"bound_resource_groups":{"type":["list","string"],"description":"The list of resource groups that login is restricted to.","description_kind":"plain","optional":true},"bound_scale_sets":{"type":["list","string"],"description":"The list of scale set names that the login is restricted to.","description_kind":"plain","optional":true},"bound_service_principal_ids":{"type":["list","string"],"description":"The list of Service Principal IDs that login is restricted to.","description_kind":"plain","optional":true},"bound_subscription_ids":{"type":["list","string"],"description":"The list of subscription IDs that login is restricted to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_azure_secret_backend":{"version":1,"block":{"attributes":{"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription id for the Azure Active Directory.","description_kind":"plain","required":true,"sensitive":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true},"use_microsoft_graph_api":{"type":"bool","description":"Use the Microsoft Graph API. Should be set to true on vault-1.10+","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_azure_secret_backend_role":{"version":0,"block":{"attributes":{"application_object_id":{"type":"string","description":"Application Object ID for an existing service principal that will be used instead of creating dynamic service principals.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permanently_delete":{"type":"bool","description":"Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role to create","description_kind":"plain","required":true},"sign_in_audience":{"type":"string","description":"Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount","description_kind":"plain","optional":true},"tags":{"type":["list","string"],"description":"Comma-separated strings of Azure tags to attach to an application.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true}},"block_types":{"azure_groups":{"nesting_mode":"set","block":{"attributes":{"group_name":{"type":"string","description_kind":"plain","required":true},"object_id":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"azure_roles":{"nesting_mode":"set","block":{"attributes":{"role_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"scope":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_cert_auth_backend_role":{"version":1,"block":{"attributes":{"allowed_common_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_dns_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_email_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_organization_units":{"type":["set","string"],"description_kind":"plain","deprecated":true,"optional":true,"computed":true},"allowed_organizational_units":{"type":["set","string"],"description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"certificate":{"type":"string","description_kind":"plain","required":true},"display_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_ca_certificates":{"type":"string","description":"Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data.","description_kind":"plain","optional":true},"ocsp_enabled":{"type":"bool","description":"If enabled, validate certificates' revocation status using OCSP.","description_kind":"plain","optional":true,"computed":true},"ocsp_fail_open":{"type":"bool","description":"If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked.","description_kind":"plain","optional":true,"computed":true},"ocsp_query_all_servers":{"type":"bool","description":"If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.","description_kind":"plain","optional":true,"computed":true},"ocsp_servers_override":{"type":["set","string"],"description":"A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.","description_kind":"plain","optional":true},"required_extensions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_consul_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Consul instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","required":true},"bootstrap":{"type":"bool","description":"Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the Vault Consul mount to configure","description_kind":"plain","optional":true},"scheme":{"type":"string","description":"Specifies the URL scheme to use. Defaults to \"http\".","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Consul token to use when managing or issuing new tokens.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_consul_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Consul Secret Backend the role belongs to.","description_kind":"plain","optional":true},"consul_namespace":{"type":"string","description":"The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+","description_kind":"plain","optional":true,"computed":true},"consul_policies":{"type":["set","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"consul_roles":{"type":["set","string"],"description":"Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Indicates that the token should not be replicated globally and instead be local to the current datacenter.","description_kind":"plain","optional":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Consul credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"node_identities":{"type":["set","string"],"description":"Set of Consul node identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.8+","description_kind":"plain","optional":true},"partition":{"type":"string","description":"The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+","description_kind":"plain","optional":true,"computed":true},"policies":{"type":["list","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"service_identities":{"type":["set","string"],"description":"Set of Consul service identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.5+","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid values are \"client\" or \"management\".","description_kind":"plain","deprecated":true,"optional":true},"ttl":{"type":"number","description":"Specifies the TTL for this role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_connection":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault mount to configure.","description_kind":"plain","required":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"},"max_items":1},"couchbase":{"nesting_mode":"list","block":{"attributes":{"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"},"max_items":1},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"},"max_items":1},"hana":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"},"max_items":1},"influxdb":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodb":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mssql":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"},"max_items":1},"oracle":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disconnect_sessions":{"type":"bool","description":"Set to true to disconnect any open sessions prior to running the revocation statements.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"split_statements":{"type":"bool","description":"Set to true in order to split statements after semi-colons.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"},"max_items":1},"postgresql":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redshift":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"},"max_items":1},"snowflake":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_database_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"creation_statements":{"type":["list","string"],"description":"Database statements to execute to create and configure a user.","description_kind":"plain","required":true},"credential_config":{"type":["map","string"],"description":"Specifies the configuration for the given credential_type.","description_kind":"plain","optional":true},"credential_type":{"type":"string","description":"Specifies the type of credential that will be generated for the role.","description_kind":"plain","optional":true,"computed":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Default TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"renew_statements":{"type":["list","string"],"description":"Database statements to execute to renew a user.","description_kind":"plain","optional":true},"revocation_statements":{"type":["list","string"],"description":"Database statements to execute to revoke a user.","description_kind":"plain","optional":true},"rollback_statements":{"type":["list","string"],"description":"Database statements to execute to rollback a create operation in the event of an error.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the static role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"The amount of time Vault should wait before rotating the password, in seconds.","description_kind":"plain","optional":true},"rotation_schedule":{"type":"string","description":"A cron-style string that will define the schedule on which rotations should occur.","description_kind":"plain","optional":true},"rotation_statements":{"type":["list","string"],"description":"Database statements to execute to rotate the password for the configured database user.","description_kind":"plain","optional":true},"rotation_window":{"type":"number","description":"The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The database username that this role corresponds to.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_database_secrets_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"engine_count":{"type":"number","description":"Total number of database secret engines configured under the mount.","description_kind":"plain","computed":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"}},"couchbase":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"}},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"}},"hana":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"}},"influxdb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"}},"mongodb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"}},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"}},"mssql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"}},"mysql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"}},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"}},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"}},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"}},"oracle":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disconnect_sessions":{"type":"bool","description":"Set to true to disconnect any open sessions prior to running the revocation statements.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"split_statements":{"type":"bool","description":"Set to true in order to split statements after semi-colons.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"}},"postgresql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"}},"redis":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"}},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"}},"redshift":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"}},"snowflake":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_egp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"List of paths to which the policy will be applied","description_kind":"plain","required":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"client_email":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"credentials":{"type":"string","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"private_key_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"project_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"block_types":{"custom_endpoint":{"nesting_mode":"list","block":{"attributes":{"api":{"type":"string","description":"Replaces the service endpoint used in API requests to https://www.googleapis.com.","description_kind":"plain","optional":true},"compute":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.","description_kind":"plain","optional":true},"crm":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.","description_kind":"plain","optional":true},"iam":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.","description_kind":"plain","optional":true}},"description":"Specifies overrides to service endpoints used when making API requests to GCP.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"add_group_aliases":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allow_gce_inference":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_jwt_exp":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_secret_backend":{"version":1,"block":{"attributes":{"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_impersonated_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"impersonated_account":{"type":"string","description":"Name of the Impersonated Account to create","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this impersonated account","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) ","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_roleset":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project":{"type":"string","description":"Name of the GCP project that this roleset's service account will belong to.","description_kind":"plain","required":true},"roleset":{"type":"string","description":"Name of the RoleSet to create","description_kind":"plain","required":true},"secret_type":{"type":"string","description":"Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the service account created by Vault for this Roleset","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"},"min_items":1}},"description_kind":"plain"}},"vault_gcp_secret_static_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_type":{"type":"string","description":"Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this static account","description_kind":"plain","computed":true},"static_account":{"type":"string","description":"Name of the Static Account to create","description_kind":"plain","required":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_generic_endpoint":{"version":1,"block":{"attributes":{"data_json":{"type":"string","description":"JSON-encoded data to write.","description_kind":"plain","required":true,"sensitive":true},"disable_delete":{"type":"bool","description":"Don't attempt to delete the path from Vault if true","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the path from Vault if true; drift won't be detected","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ignore_absent_fields":{"type":"bool","description":"When reading, disregard fields not present in data_json","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where to the endpoint that will be written","description_kind":"plain","required":true},"write_data":{"type":["map","string"],"description":"Map of strings returned by write operation","description_kind":"plain","computed":true},"write_data_json":{"type":"string","description":"JSON data returned by write operation","description_kind":"plain","computed":true},"write_fields":{"type":["list","string"],"description":"Top-level fields returned by write to persist in state","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the token from Vault if true; drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Specifies the description of the mount. This overrides the current stored value, if any.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization users must be part of.","description_kind":"plain","required":true},"organization_id":{"type":"number","description":"The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+)","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where the auth backend is mounted","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_github_team":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which team mapping will be configured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this team.","description_kind":"plain","optional":true},"team":{"type":"string","description":"GitHub team name in \"slugified\" format.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_user":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which user mapping will be congigured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this user.","description_kind":"plain","optional":true},"user":{"type":"string","description":"GitHub user name.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked.","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_entity_policies`.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the entity.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the entity to which this is an alias.","description_kind":"plain","required":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata to be associated with this alias.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs toMount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the entity alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_policies":{"version":0,"block":{"attributes":{"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","required":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","computed":true},"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_group":{"version":1,"block":{"attributes":{"external_member_entity_ids":{"type":"bool","description":"Manage member entities externally through `vault_identity_group_member_entity_ids`","description_kind":"plain","optional":true},"external_member_group_ids":{"type":"bool","description":"Manage member groups externally through `vault_identity_group_member_group_ids`","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the group.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of the group, internal or external. Defaults to internal.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the group to which this is an alias.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the group alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_entity_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member entity ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","deprecated":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_group_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member group ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_policies":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo","description_kind":"plain","required":true,"sensitive":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo","description_kind":"plain","required":true,"sensitive":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_passcode":{"type":"bool","description":"Require passcode upon MFA validation.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_login_enforcement":{"version":0,"block":{"attributes":{"auth_method_accessors":{"type":["set","string"],"description":"Set of auth method accessor IDs.","description_kind":"plain","optional":true},"auth_method_types":{"type":["set","string"],"description":"Set of auth method types.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_entity_ids":{"type":["set","string"],"description":"Set of identity entity IDs.","description_kind":"plain","optional":true},"identity_group_ids":{"type":["set","string"],"description":"Set of identity group IDs.","description_kind":"plain","optional":true},"mfa_method_ids":{"type":["set","string"],"description":"Set of MFA method UUIDs.","description_kind":"plain","required":true},"name":{"type":"string","description":"Login enforcement name.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API token.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"The base domain to use for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"Only match the primary email for the account.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"The admin URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"A unique identifier of the organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"The IDP URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"The name of the PingID client organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings contents as retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"Use signature value, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"max_validation_attempts":{"type":"number","description":"The maximum number of consecutive failed validation attempts allowed.","description_kind":"plain","optional":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"period":{"type":"number","description":"The length of time in seconds used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true,"computed":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_assignment":{"version":0,"block":{"attributes":{"entity_ids":{"type":["set","string"],"description":"A list of Vault entity IDs.","description_kind":"plain","optional":true},"group_ids":{"type":["set","string"],"description":"A list of Vault group IDs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the assignment.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_client":{"version":0,"block":{"attributes":{"access_token_ttl":{"type":"number","description":"The time-to-live for access tokens obtained by the client.","description_kind":"plain","optional":true,"computed":true},"assignments":{"type":["set","string"],"description":"A list of assignment resources associated with the client.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"client_type":{"type":"string","description":"The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_ttl":{"type":"number","description":"The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key.","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A reference to a named key resource in Vault. This cannot be modified after creation.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"redirect_uris":{"type":["set","string"],"description":"Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.","description_kind":"plain","optional":true},"allowed_client_ids":{"type":["set","string"],"description":"Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If \"*\", all roles are allowed.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often to generate a new signing key in number of seconds","description_kind":"plain","optional":true},"verification_ttl":{"type":"number","description":"Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key_allowed_client_id":{"version":0,"block":{"attributes":{"allowed_client_id":{"type":"string","description":"Role Client ID allowed to use the key for signing.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_provider":{"version":0,"block":{"attributes":{"allowed_client_ids":{"type":["set","string"],"description":"The client IDs that are permitted to use the provider. If empty, no clients are allowed. If \"*\", all clients are allowed.","description_kind":"plain","optional":true},"https_enabled":{"type":"bool","description":"Set to true if the issuer endpoint uses HTTPS.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Specifies what will be used as the 'scheme://host:port' component for the 'iss' claim of ID tokens.This value is computed using the issuer_host and https_enabled fields.","description_kind":"plain","computed":true},"issuer_host":{"type":"string","description":"The host for the issuer. Can be either host or host:port.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"scopes_supported":{"type":["set","string"],"description":"The scopes available for requesting on the provider.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_role":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A configured named key, the key must already exist.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string to use for generating tokens. This may be in string-ified JSON or base64 format.","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"TTL of the tokens generated against the role in number of seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_scope":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"The scope's description.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the scope. The openid scope name is reserved.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the JWT auth backend","description_kind":"plain","computed":true},"bound_issuer":{"type":"string","description":"The value against which to match the iss claim in a JWT","description_kind":"plain","optional":true},"default_role":{"type":"string","description":"The default role to use if none is provided during login","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"jwks_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.","description_kind":"plain","optional":true},"jwks_url":{"type":"string","description":"JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"jwt_supported_algs":{"type":["list","string"],"description":"A list of supported signing algorithms. Defaults to [RS256]","description_kind":"plain","optional":true},"jwt_validation_pubkeys":{"type":["list","string"],"description":"A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. ","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_in_state":{"type":"bool","description":"Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.","description_kind":"plain","optional":true},"oidc_client_id":{"type":"string","description":"Client ID used for OIDC","description_kind":"plain","optional":true},"oidc_client_secret":{"type":"string","description":"Client Secret used for OIDC","description_kind":"plain","optional":true,"sensitive":true},"oidc_discovery_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used","description_kind":"plain","optional":true},"oidc_discovery_url":{"type":"string","description":"The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"oidc_response_mode":{"type":"string","description":"The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.","description_kind":"plain","optional":true},"oidc_response_types":{"type":["list","string"],"description":"The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"provider_config":{"type":["map","string"],"description":"Provider specific handling configuration","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of backend. Can be either 'jwt' or 'oidc'","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_redirect_uris":{"type":["set","string"],"description":"The list of allowed values for redirect_uri during OIDC logins.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_audiences":{"type":["set","string"],"description":"List of aud claims to match against. Any match is sufficient.","description_kind":"plain","optional":true},"bound_claims":{"type":["map","string"],"description":"Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.","description_kind":"plain","optional":true},"bound_claims_type":{"type":"string","description":"How to interpret values in the claims/values map: can be either \"string\" (exact match) or \"glob\" (wildcard match).","description_kind":"plain","optional":true,"computed":true},"bound_subject":{"type":"string","description":"If set, requires that the sub claim matches this value.","description_kind":"plain","optional":true},"claim_mappings":{"type":["map","string"],"description":"Map of claims (keys) to be copied to specified metadata fields (values).","description_kind":"plain","optional":true},"clock_skew_leeway":{"type":"number","description":"The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"disable_bound_claims_parsing":{"type":"bool","description":"Disable bound claim value parsing. Useful when values contain commas.","description_kind":"plain","optional":true},"expiration_leeway":{"type":"number","description":"The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"groups_claim":{"type":"string","description":"The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_age":{"type":"number","description":"Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_leeway":{"type":"number","description":"The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ","description_kind":"plain","optional":true},"oidc_scopes":{"type":["set","string"],"description":"List of OIDC scopes to be used with an OIDC role. The standard scope \"openid\" is automatically included and need not be specified.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_type":{"type":"string","description":"Type of role, either \"oidc\" (default) or \"jwt\"","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"user_claim":{"type":"string","description":"The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.","description_kind":"plain","required":true},"user_claim_json_pointer":{"type":"bool","description":"Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.","description_kind":"plain","optional":true},"verbose_oidc_logging":{"type":"bool","description":"Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_backend":{"version":1,"block":{"attributes":{"default_tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"default_tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"default_tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listen_addrs":{"type":["set","string"],"description":"Addresses the KMIP server should listen on (host:port)","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP secret backend will be mounted","description_kind":"plain","required":true},"server_hostnames":{"type":["set","string"],"description":"Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN)","description_kind":"plain","optional":true,"computed":true},"server_ips":{"type":["set","string"],"description":"IPs to include in the server's TLS certificate as SAN IP addresses","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_bits":{"type":"number","description":"CA key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_type":{"type":"string","description":"CA key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to accept","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kmip_secret_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"operation_activate":{"type":"bool","description":"Grant permission to use the KMIP Activate operation","description_kind":"plain","optional":true,"computed":true},"operation_add_attribute":{"type":"bool","description":"Grant permission to use the KMIP Add Attribute operation","description_kind":"plain","optional":true,"computed":true},"operation_all":{"type":"bool","description":"Grant all permissions to this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_create":{"type":"bool","description":"Grant permission to use the KMIP Create operation","description_kind":"plain","optional":true,"computed":true},"operation_destroy":{"type":"bool","description":"Grant permission to use the KMIP Destroy operation","description_kind":"plain","optional":true,"computed":true},"operation_discover_versions":{"type":"bool","description":"Grant permission to use the KMIP Discover Version operation","description_kind":"plain","optional":true,"computed":true},"operation_get":{"type":"bool","description":"Grant permission to use the KMIP Get operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attribute_list":{"type":"bool","description":"Grant permission to use the KMIP Get Attribute List operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attributes":{"type":"bool","description":"Grant permission to use the KMIP Get Attributes operation","description_kind":"plain","optional":true,"computed":true},"operation_locate":{"type":"bool","description":"Grant permission to use the KMIP Locate operation","description_kind":"plain","optional":true,"computed":true},"operation_none":{"type":"bool","description":"Remove all permissions from this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_register":{"type":"bool","description":"Grant permission to use the KMIP Register operation","description_kind":"plain","optional":true,"computed":true},"operation_rekey":{"type":"bool","description":"Grant permission to use the KMIP Rekey operation","description_kind":"plain","optional":true,"computed":true},"operation_revoke":{"type":"bool","description":"Grant permission to use the KMIP Revoke operation","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true},"tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true},"tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true},"tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_scope":{"version":0,"block":{"attributes":{"force":{"type":"bool","description":"Force deletion even if there are managed objects in the scope","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true},"token_reviewer_jwt":{"type":"string","description":"A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name","description_kind":"plain","optional":true,"computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to `[\"*\"]` all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","required":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_local_ca_jwt":{"type":"bool","description":"Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_ca_cert":{"type":"string","description":"A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set.","description_kind":"plain","optional":true},"kubernetes_host":{"type":"string","description":"The Kubernetes API URL to connect to.","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"service_account_jwt":{"type":"string","description":"The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend_role":{"version":0,"block":{"attributes":{"allowed_kubernetes_namespaces":{"type":["list","string"],"description":"The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed.","description_kind":"plain","required":true},"backend":{"type":"string","description":"The mount path for the Kubernetes secrets engine.","description_kind":"plain","required":true},"extra_annotations":{"type":["map","string"],"description":"Additional annotations to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"extra_labels":{"type":["map","string"],"description":"Additional labels to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"generated_role_rules":{"type":"string","description":"The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_role_name":{"type":"string","description":"The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.","description_kind":"plain","optional":true},"kubernetes_role_type":{"type":"string","description":"Specifies whether the Kubernetes role is a Role or ClusterRole.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"name_template":{"type":"string","description":"The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_name":{"type":"string","description":"The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested.","description_kind":"plain","optional":true},"token_default_ttl":{"type":"number","description":"The default TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_backend_v2":{"version":0,"block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true,"computed":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"cas":{"type":"number","description":"This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"If set to true, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"If set to true, disables reading secret from Vault; note: drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with this secret read from Vault.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"An object that holds option settings.","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secret will be written.","description_kind":"plain","computed":true}},"block_types":{"custom_metadata":{"nesting_mode":"list","block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of arbitrary string to string valued user-provided metadata meant to describe the secret.","description_kind":"plain","optional":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted.","description_kind":"plain","optional":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true}},"description":"Custom metadata to be set for the secret.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_ldap_auth_backend":{"version":2,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the LDAP auth backend","description_kind":"plain","computed":true},"binddn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"bindpass":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"certificate":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_cert":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_key":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"deny_null_bind":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description_kind":"plain","optional":true,"computed":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"groupattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"max_page_size":{"type":"number","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"starttls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"upndomain":{"type":"string","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description_kind":"plain","required":true},"use_token_groups":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"username_as_alias":{"type":"bool","description":"Force the auth method to use the username passed by the user as the alias name.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_group":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groupname":{"type":"string","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_user":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"username":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_ldap_secret_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"connection_timeout":{"type":"number","description":"Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"length":{"type":"number","description":"The desired length of passwords that Vault generates.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true,"computed":true},"schema":{"type":"string","description":"The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf.","description_kind":"plain","optional":true,"computed":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_dynamic_role":{"version":0,"block":{"attributes":{"creation_ldif":{"type":"string","description":"A templatized LDIF string used to create a user account. May contain multiple entries.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Specifies the TTL for the leases associated with this role.","description_kind":"plain","optional":true},"deletion_ldif":{"type":"string","description":"A templatized LDIF string used to delete the user account once its TTL has expired. This may contain multiple LDIF entries.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Specifies the maximum TTL for the leases associated with this role.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rollback_ldif":{"type":"string","description":"A templatized LDIF string used to attempt to rollback any changes in the event that execution of the creation_ldif results in an error. This may contain multiple LDIF entries.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"A template used to generate a dynamic username. This will be used to fill in the .Username field within the creation_ldif string.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_library_set":{"version":0,"block":{"attributes":{"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time a check-out last with renewal before Vault automatically checks it back in. Defaults to 24 hours.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The maximum amount of time a single check-out lasts before Vault automatically checks it back in. Defaults to 24 hours.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_static_role":{"version":0,"block":{"attributes":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage password rotation for.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","required":true},"username":{"type":"string","description":"The username of the existing LDAP entry to manage password rotation for.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_managed_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"aws":{"nesting_mode":"set","block":{"attributes":{"access_key":{"type":"string","description":"The AWS access key to use","description_kind":"plain","required":true},"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"endpoint":{"type":"string","description":"Used to specify a custom AWS endpoint","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"kms_key":{"type":"string","description":"An identifier for the key","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"region":{"type":"string","description":"The AWS region where the keys are stored (or will be stored)","description_kind":"plain","optional":true,"computed":true},"secret_key":{"type":"string","description":"The AWS secret key to use","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for AWS Managed Keys","description_kind":"plain"}},"azure":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs","description_kind":"plain","required":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","required":true},"environment":{"type":"string","description":"The Azure Cloud environment API endpoints to use","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_name":{"type":"string","description":"The Key Vault key to use for encryption and decryption","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"resource":{"type":"string","description":"The Azure Key Vault resource's DNS Suffix to connect to","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true},"vault_name":{"type":"string","description":"The Key Vault vault to use the encryption keys for encryption and decryption","description_kind":"plain","required":true}},"description":"Configuration block for Azure Managed Keys","description_kind":"plain"}},"pkcs":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"force_rw_session":{"type":"string","description":"Force all operations to open up a read-write session to the HSM","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The id of a PKCS#11 key to use","description_kind":"plain","required":true},"key_label":{"type":"string","description":"The label of the key to use","description_kind":"plain","required":true},"library":{"type":"string","description":"The name of the kms_library stanza to use from Vault's config to lookup the local library path","description_kind":"plain","required":true},"mechanism":{"type":"string","description":"The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"pin":{"type":"string","description":"The PIN for login","description_kind":"plain","required":true},"slot":{"type":"string","description":"The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')","description_kind":"plain","optional":true},"token_label":{"type":"string","description":"The slot token label to use","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for PKCS Managed Keys","description_kind":"plain"}}},"description_kind":"plain"}},"vault_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo.","description_kind":"plain","required":true,"sensitive":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo.","description_kind":"plain","required":true,"sensitive":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API key.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"If set, will be used as the base domain for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"If set to true, the username will only match the primary email for the account.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"Admin URL computed by Vault.","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"Authenticator URL computed by Vault.","description_kind":"plain","computed":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"IDP URL computed by Vault.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID computed by Vault.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"Org Alias computed by Vault.","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings file retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of configuration computed by Vault.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"If set, enables use of PingID signature. Computed by Vault","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"period":{"type":"number","description":"The length of time used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_backend":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where MongoDB Atlas configuration is located","description_kind":"plain","computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_role":{"version":0,"block":{"attributes":{"cidr_blocks":{"type":["list","string"],"description":"Whitelist entry in CIDR notation to be added for the API key","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_addresses":{"type":["list","string"],"description":"IP address to be added to the whitelist for the API key","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of credentials issued using this role","description_kind":"plain","optional":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization_id":{"type":"string","description":"ID for the organization to which the target API Key belongs","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"ID for the project to which the target API Key belongs","description_kind":"plain","optional":true},"project_roles":{"type":["list","string"],"description":"Roles assigned when an org API key is assigned to a project API key","description_kind":"plain","optional":true},"roles":{"type":["list","string"],"description":"List of roles that the API Key needs to have","description_kind":"plain","required":true},"ttl":{"type":"string","description":"Duration in seconds after which the issued credential should expire","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the backend, such as 'aws'","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_namespace":{"version":0,"block":{"attributes":{"custom_metadata":{"type":["map","string"],"description":"Custom metadata describing this namespace. Value type is map[string]string.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID.","description_kind":"plain","computed":true},"path":{"type":"string","description":"Namespace path.","description_kind":"plain","required":true},"path_fq":{"type":"string","description":"The fully qualified namespace path.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Nomad instance, provided as \"protocol://host:port\" like \"http://127.0.0.1:4646\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_token_name_length":{"type":"number","description":"Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Nomad Management token to use.","description_kind":"plain","optional":true,"sensitive":true},"ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","required":true},"global":{"type":"bool","description":"Specifies if the token should be global.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid values are \"client\" or \"management\".","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The Okta url. Examples: oktapreview.com, okta.com (default)","description_kind":"plain","optional":true},"bypass_okta_mfa":{"type":"bool","description":"When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"group":{"type":["set",["object",{"group_name":"string","policies":["set","string"]}]],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Maximum duration after which authentication will be expired","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The Okta organization. This will be the first part of the url https://XXX.okta.com.","description_kind":"plain","required":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"token":{"type":"string","description":"The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled.","description_kind":"plain","optional":true,"sensitive":true},"ttl":{"type":"string","description":"Duration after which authentication will be expired","description_kind":"plain","optional":true},"user":{"type":["set",["object",{"groups":["set","string"],"policies":["set","string"],"username":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend_group":{"version":0,"block":{"attributes":{"group_name":{"type":"string","description":"Name of the Okta group","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this group","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_okta_auth_backend_user":{"version":0,"block":{"attributes":{"groups":{"type":["set","string"],"description":"Groups within the Okta auth backend to associate with this user","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this user","description_kind":"plain","optional":true},"username":{"type":"string","description":"Name of the user within Okta","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_password_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the password policy.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The password policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_cert":{"version":0,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":"string","description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of the certificate to create.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial_number":{"type":"string","description":"The serial number.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"user_ids":{"type":["list","string"],"description":"List of Subject User IDs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_ca":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_bundle":{"type":"string","description":"The key and certificate PEM bundle.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_issuers":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"default":{"type":"string","description":"Specifies the default issuer by ID.","description_kind":"plain","optional":true},"default_follows_latest_issuer":{"type":"bool","description":"Specifies whether a root creation or an issuer import operation updates the default issuer to the newly added issuer.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_urls":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_crl_config":{"version":0,"block":{"attributes":{"auto_rebuild":{"type":"bool","description":"Enables or disables periodic rebuilding of the CRL upon expiry.","description_kind":"plain","optional":true},"auto_rebuild_grace_period":{"type":"string","description":"Grace period before CRL expiry to attempt rebuild of CRL.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"cross_cluster_revocation":{"type":"bool","description":"Enable cross-cluster revocation request queues.","description_kind":"plain","optional":true,"computed":true},"delta_rebuild_interval":{"type":"string","description":"Interval to check for new revocations on, to regenerate the delta CRL.","description_kind":"plain","optional":true,"computed":true},"disable":{"type":"bool","description":"Disables or enables CRL building","description_kind":"plain","optional":true},"enable_delta":{"type":"bool","description":"Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL.","description_kind":"plain","optional":true},"expiry":{"type":"string","description":"Specifies the time until expiration.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_disable":{"type":"bool","description":"Disables or enables the OCSP responder in Vault.","description_kind":"plain","optional":true},"ocsp_expiry":{"type":"string","description":"The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations.","description_kind":"plain","optional":true,"computed":true},"unified_crl":{"type":"bool","description":"Enables unified CRL and OCSP building.","description_kind":"plain","optional":true,"computed":true},"unified_crl_on_existing_paths":{"type":"bool","description":"Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_cert_request":{"version":0,"block":{"attributes":{"add_basic_constraints":{"type":"bool","description":"Set 'CA: true' in a Basic Constraints extension. Only needed as\na workaround in some compatibility scenarios with Active Directory Certificate Services.","description_kind":"plain","optional":true},"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","computed":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true,"computed":true},"key_ref":{"type":"string","description":"Specifies the key to use for generating this request.","description_kind":"plain","optional":true,"computed":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of intermediate to create. Must be either \"existing\", \"exported\", \"internal\" or \"kms\"","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_set_signed":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"imported_issuers":{"type":["list","string"],"description":"The imported issuers.","description_kind":"plain","computed":true},"imported_keys":{"type":["list","string"],"description":"The imported keys.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuer":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"enable_aia_url_templating":{"type":"bool","description":"Specifies that the AIA URL values should be templated.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_id":{"type":"string","description":"ID of the issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","required":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"leaf_not_after_behavior":{"type":"string","description":"Behavior of a leaf's 'NotAfter' field during issuance.","description_kind":"plain","optional":true,"computed":true},"manual_chain":{"type":["list","string"],"description":"Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true},"revocation_signature_algorithm":{"type":"string","description":"Which signature algorithm to use when building CRLs.","description_kind":"plain","optional":true,"computed":true},"usage":{"type":"string","description":"Comma-separated list of allowed usages for this issuer.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_key":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"Specifies the number of bits to use for the generated keys.","description_kind":"plain","optional":true,"computed":true},"key_id":{"type":"string","description":"ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"Specifies the desired key type; must be 'rsa', 'ed25519' or 'ec'.","description_kind":"plain","optional":true,"computed":true},"managed_key_id":{"type":"string","description":"The managed key's UUID.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The managed key's configured name.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"Specifies the type of the key to create.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_role":{"version":0,"block":{"attributes":{"allow_any_name":{"type":"bool","description":"Flag to allow any name","description_kind":"plain","optional":true},"allow_bare_domains":{"type":"bool","description":"Flag to allow certificates matching the actual domain.","description_kind":"plain","optional":true},"allow_glob_domains":{"type":"bool","description":"Flag to allow names containing glob patterns.","description_kind":"plain","optional":true},"allow_ip_sans":{"type":"bool","description":"Flag to allow IP SANs","description_kind":"plain","optional":true},"allow_localhost":{"type":"bool","description":"Flag to allow certificates for localhost.","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description":"Flag to allow certificates matching subdomains.","description_kind":"plain","optional":true},"allow_wildcard_certificates":{"type":"bool","description":"Flag to allow wildcard certificates","description_kind":"plain","optional":true},"allowed_domains":{"type":["list","string"],"description":"The domains of the role.","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description":"Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true},"allowed_other_sans":{"type":["list","string"],"description":"Defines allowed custom SANs","description_kind":"plain","optional":true},"allowed_serial_numbers":{"type":["list","string"],"description":"Defines allowed Subject serial numbers.","description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["list","string"],"description":"Defines allowed URI SANs","description_kind":"plain","optional":true},"allowed_uri_sans_template":{"type":"bool","description":"Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true,"computed":true},"allowed_user_ids":{"type":["list","string"],"description":"The allowed User ID's.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"basic_constraints_valid_for_non_ca":{"type":"bool","description":"Flag to mark basic constraints valid when issuing non-CA certificates.","description_kind":"plain","optional":true},"client_flag":{"type":"bool","description":"Flag to specify certificates for client use.","description_kind":"plain","optional":true},"code_signing_flag":{"type":"bool","description":"Flag to specify certificates for code signing use.","description_kind":"plain","optional":true},"country":{"type":["list","string"],"description":"The country of generated certificates.","description_kind":"plain","optional":true},"email_protection_flag":{"type":"bool","description":"Flag to specify certificates for email protection use.","description_kind":"plain","optional":true},"enforce_hostnames":{"type":"bool","description":"Flag to allow only valid host names","description_kind":"plain","optional":true},"ext_key_usage":{"type":["list","string"],"description":"Specify the allowed extended key usage constraint on issued certificates.","description_kind":"plain","optional":true},"ext_key_usage_oids":{"type":["list","string"],"description":"A list of extended key usage OIDs.","description_kind":"plain","optional":true},"generate_lease":{"type":"bool","description":"Flag to generate leases with certificates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"The number of bits of generated keys.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"The generated key type.","description_kind":"plain","optional":true},"key_usage":{"type":["list","string"],"description":"Specify the allowed key usage constraint on issued certificates.","description_kind":"plain","optional":true,"computed":true},"locality":{"type":["list","string"],"description":"The locality of generated certificates.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum TTL.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_store":{"type":"bool","description":"Flag to not store certificates in the storage backend.","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.","description_kind":"plain","optional":true,"computed":true},"organization":{"type":["list","string"],"description":"The organization of generated certificates.","description_kind":"plain","optional":true},"ou":{"type":["list","string"],"description":"The organization unit of generated certificates.","description_kind":"plain","optional":true},"policy_identifiers":{"type":["list","string"],"description":"Specify the list of allowed policies OIDs.","description_kind":"plain","optional":true},"postal_code":{"type":["list","string"],"description":"The postal code of generated certificates.","description_kind":"plain","optional":true},"province":{"type":["list","string"],"description":"The province of generated certificates.","description_kind":"plain","optional":true},"require_cn":{"type":"bool","description":"Flag to force CN usage.","description_kind":"plain","optional":true},"server_flag":{"type":"bool","description":"Flag to specify certificates for server use.","description_kind":"plain","optional":true},"street_address":{"type":["list","string"],"description":"The street address of generated certificates.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL.","description_kind":"plain","optional":true,"computed":true},"use_csr_common_name":{"type":"bool","description":"Flag to use the CN in the CSR.","description_kind":"plain","optional":true},"use_csr_sans":{"type":"bool","description":"Flag to use the SANs in the CSR.","description_kind":"plain","optional":true}},"block_types":{"policy_identifier":{"nesting_mode":"set","block":{"attributes":{"cps":{"type":"string","description":"Optional CPS URL","description_kind":"plain","optional":true},"notice":{"type":"string","description":"Optional notice","description_kind":"plain","optional":true},"oid":{"type":"string","description":"OID","description_kind":"plain","required":true}},"description":"Policy identifier block; can only be used with Vault 1.11+","description_kind":"plain"}}},"description_kind":"plain"}},"vault_pki_secret_backend_root_cert":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of root to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_id":{"type":"string","description":"The ID of the generated issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'.","description_kind":"plain","optional":true,"computed":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true,"computed":true},"key_ref":{"type":"string","description":"Specifies the key to use for generating this request.","description_kind":"plain","optional":true,"computed":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of root to create. Must be either \"existing\", \"exported\", \"internal\" or \"kms\"","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_root_sign_intermediate":{"version":2,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The signed intermediate CA certificate.","description_kind":"plain","computed":true},"certificate_bundle":{"type":"string","description":"The concatenation of the intermediate and issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA certificate.","description_kind":"plain","computed":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"use_csr_values":{"type":"bool","description":"Preserve CSR values.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_sign":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_quota_lease_count":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_leases":{"type":"number","description":"The maximum number of leases to be allowed by the quota rule. The max_leases must be positive.","description_kind":"plain","required":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota.","description_kind":"plain","optional":true},"role":{"type":"string","description":"If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_quota_rate_limit":{"version":0,"block":{"attributes":{"block_interval":{"type":"number","description":"If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"interval":{"type":"number","description":"The duration in seconds to enforce rate limiting for.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota.","description_kind":"plain","optional":true},"rate":{"type":"number","description":"The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive.","description_kind":"plain","required":true},"role":{"type":"string","description":"If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend":{"version":1,"block":{"attributes":{"connection_uri":{"type":"string","description":"Specifies the RabbitMQ connection URI.","description_kind":"plain","required":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the RabbitMQ management administrator password","description_kind":"plain","required":true,"sensitive":true},"password_policy":{"type":"string","description":"Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path of the RabbitMQ Secret Backend where the connection should be configured","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the RabbitMQ management administrator username","description_kind":"plain","required":true,"sensitive":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies whether to verify connection URI, username, and password.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Rabbitmq Secret Backend the role belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"tags":{"type":"string","description":"Specifies a comma-separated RabbitMQ management tags.","description_kind":"plain","optional":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"configure":{"type":"string","description":"The configure permissions for this vhost.","description_kind":"plain","required":true},"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}},"vhost_topic":{"nesting_mode":"list","block":{"attributes":{"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"topic":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}}},"description":"Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot":{"version":0,"block":{"attributes":{"cleanup_dead_servers":{"type":"bool","description":"Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set.","description_kind":"plain","optional":true},"dead_server_last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set.","description_kind":"plain","optional":true},"disable_upgrade_migration":{"type":"bool","description":"Disables automatically upgrading Vault using autopilot. (Enterprise-only)","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered unhealthy.","description_kind":"plain","optional":true},"max_trailing_logs":{"type":"number","description":"Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy.","description_kind":"plain","optional":true},"min_quorum":{"type":"number","description":"Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"server_stabilization_time":{"type":"string","description":"Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_raft_snapshot_agent_config":{"version":0,"block":{"attributes":{"aws_access_key_id":{"type":"string","description":"AWS access key ID.","description_kind":"plain","optional":true},"aws_s3_bucket":{"type":"string","description":"S3 bucket to write snapshots to.","description_kind":"plain","optional":true},"aws_s3_disable_tls":{"type":"bool","description":"Disable TLS for the S3 endpoint. This should only be used for testing purposes.","description_kind":"plain","optional":true},"aws_s3_enable_kms":{"type":"bool","description":"Use KMS to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_s3_endpoint":{"type":"string","description":"AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio.","description_kind":"plain","optional":true},"aws_s3_force_path_style":{"type":"bool","description":"Use the endpoint/bucket URL style instead of bucket.endpoint.","description_kind":"plain","optional":true},"aws_s3_kms_key":{"type":"string","description":"Use named KMS key, when aws_s3_enable_kms=true","description_kind":"plain","optional":true},"aws_s3_region":{"type":"string","description":"AWS region bucket is in.","description_kind":"plain","optional":true},"aws_s3_server_side_encryption":{"type":"bool","description":"Use AES256 to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"AWS session token.","description_kind":"plain","optional":true},"azure_account_key":{"type":"string","description":"Azure account key.","description_kind":"plain","optional":true},"azure_account_name":{"type":"string","description":"Azure account name.","description_kind":"plain","optional":true},"azure_blob_environment":{"type":"string","description":"Azure blob environment.","description_kind":"plain","optional":true},"azure_container_name":{"type":"string","description":"Azure container name to write snapshots to.","description_kind":"plain","optional":true},"azure_endpoint":{"type":"string","description":"Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite.","description_kind":"plain","optional":true},"file_prefix":{"type":"string","description":"The file or object name of snapshot files will start with this string.","description_kind":"plain","optional":true},"google_disable_tls":{"type":"bool","description":"Disable TLS for the GCS endpoint.","description_kind":"plain","optional":true},"google_endpoint":{"type":"string","description":"GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server.","description_kind":"plain","optional":true},"google_gcs_bucket":{"type":"string","description":"GCS bucket to write snapshots to.","description_kind":"plain","optional":true},"google_service_account_key":{"type":"string","description":"Google service account key in JSON format.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"interval_seconds":{"type":"number","description":"Number of seconds between snapshots.","description_kind":"plain","required":true},"local_max_space":{"type":"number","description":"The maximum space, in bytes, to use for snapshots.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the snapshot agent configuration.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path_prefix":{"type":"string","description":"The directory or bucket prefix to to use.","description_kind":"plain","required":true},"retain":{"type":"number","description":"How many snapshots are to be kept.","description_kind":"plain","optional":true},"storage_type":{"type":"string","description":"What storage service to send snapshots to. One of \"local\", \"azure-blob\", \"aws-s3\", or \"google-gcs\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_rgp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_saml_auth_backend":{"version":0,"block":{"attributes":{"acs_urls":{"type":["list","string"],"description":"The well-formatted URLs of your Assertion Consumer Service (ACS) that should receive a response from the identity provider.","description_kind":"plain","required":true},"default_role":{"type":"string","description":"The role to use if no role is provided during login.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"entity_id":{"type":"string","description":"The entity ID of the SAML authentication service provider.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_cert":{"type":"string","description":"The PEM encoded certificate of the identity provider. Mutually exclusive with 'idp_metadata_url'","description_kind":"plain","optional":true},"idp_entity_id":{"type":"string","description":"The entity ID of the identity provider. Mutually exclusive with 'idp_metadata_url'.","description_kind":"plain","optional":true},"idp_metadata_url":{"type":"string","description":"The metadata URL of the identity provider.","description_kind":"plain","optional":true},"idp_sso_url":{"type":"string","description":"The SSO URL of the identity provider. Mutually exclusive with 'idp_metadata_url'.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"verbose_logging":{"type":"bool","description":"Log additional, potentially sensitive information during the SAML exchange according to the current logging level. Not recommended for production.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_saml_auth_backend_role":{"version":0,"block":{"attributes":{"bound_attributes":{"type":["map","string"],"description":"Mapping of attribute names to values that are expected to exist in the SAML assertion.","description_kind":"plain","optional":true},"bound_attributes_type":{"type":"string","description":"The type of matching assertion to perform on bound_attributes.","description_kind":"plain","optional":true,"computed":true},"bound_subjects":{"type":["list","string"],"description":"The subject being asserted for SAML authentication.","description_kind":"plain","optional":true},"bound_subjects_type":{"type":"string","description":"The type of matching assertion to perform on bound_subjects.","description_kind":"plain","optional":true,"computed":true},"groups_attribute":{"type":"string","description":"The attribute to use to identify the set of groups to which the user belongs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where SAML Auth engine is mounted.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_secrets_sync_association":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Specifies the mount where the secret is located.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name":{"type":"string","description":"Specifies the name of the secret to synchronize.","description_kind":"plain","required":true},"sync_status":{"type":"string","description":"Specifies the status of the association.","description_kind":"plain","computed":true},"type":{"type":"string","description":"Type of sync destination.","description_kind":"plain","required":true},"updated_at":{"type":"string","description":"Duration string stating when the secret was last updated.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_aws_destination":{"version":0,"block":{"attributes":{"access_key_id":{"type":"string","description":"Access key id to authenticate against the AWS secrets manager.","description_kind":"plain","optional":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the AWS destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region where to manage the secrets manager entries.","description_kind":"plain","optional":true},"secret_access_key":{"type":"string","description":"Secret access key to authenticate against the AWS secrets manager.","description_kind":"plain","optional":true,"sensitive":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_azure_destination":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"Client ID of an Azure app registration.","description_kind":"plain","optional":true},"client_secret":{"type":"string","description":"Client Secret of an Azure app registration.","description_kind":"plain","optional":true,"sensitive":true},"cloud":{"type":"string","description":"Specifies a cloud for the client.","description_kind":"plain","optional":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_vault_uri":{"type":"string","description":"URI of an existing Azure Key Vault instance.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name of the Azure destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"ID of the target Azure tenant.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_config":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Disables the syncing process between Vault and external destinations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"queue_capacity":{"type":"number","description":"Maximum number of pending sync operations allowed on the queue.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_secrets_sync_gcp_destination":{"version":0,"block":{"attributes":{"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP.","description_kind":"plain","optional":true,"sensitive":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the GCP destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_gh_destination":{"version":0,"block":{"attributes":{"access_token":{"type":"string","description":"Fine-grained or personal access token.","description_kind":"plain","optional":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the github destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"repository_name":{"type":"string","description":"Name of the repository.","description_kind":"plain","optional":true},"repository_owner":{"type":"string","description":"GitHub organization or username that owns the repository.","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_vercel_destination":{"version":0,"block":{"attributes":{"access_token":{"type":"string","description":"Vercel API access token with the permissions to manage environment variables.","description_kind":"plain","required":true,"sensitive":true},"deployment_environments":{"type":["list","string"],"description":"Deployment environments where the environment variables are available. Accepts 'development', 'preview' \u0026 'production'.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the Vercel destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"Project ID where to manage environment variables.","description_kind":"plain","required":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"team_id":{"type":"string","description":"Team ID the project belongs to.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_ca":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the SSH Secret Backend where the CA should be configured","description_kind":"plain","optional":true},"generate_signing_key":{"type":"bool","description":"Whether Vault should generate the signing key pair internally.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"Private key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"public_key":{"type":"string","description":"Public key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_role":{"version":0,"block":{"attributes":{"algorithm_signer":{"type":"string","description_kind":"plain","optional":true,"computed":true},"allow_bare_domains":{"type":"bool","description_kind":"plain","optional":true},"allow_host_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description_kind":"plain","optional":true},"allow_user_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_user_key_ids":{"type":"bool","description_kind":"plain","optional":true},"allowed_critical_options":{"type":"string","description_kind":"plain","optional":true},"allowed_domains":{"type":"string","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allowed_extensions":{"type":"string","description_kind":"plain","optional":true},"allowed_user_key_lengths":{"type":["map","number"],"description_kind":"plain","deprecated":true,"optional":true},"allowed_users":{"type":"string","description_kind":"plain","optional":true},"allowed_users_template":{"type":"bool","description_kind":"plain","optional":true},"backend":{"type":"string","description_kind":"plain","required":true},"cidr_list":{"type":"string","description_kind":"plain","optional":true},"default_critical_options":{"type":["map","string"],"description_kind":"plain","optional":true},"default_extensions":{"type":["map","string"],"description_kind":"plain","optional":true},"default_user":{"type":"string","description_kind":"plain","optional":true},"default_user_template":{"type":"bool","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id_format":{"type":"string","description_kind":"plain","optional":true},"key_type":{"type":"string","description_kind":"plain","required":true},"max_ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true}},"block_types":{"allowed_user_key_config":{"nesting_mode":"set","block":{"attributes":{"lengths":{"type":["list","number"],"description":"List of allowed key lengths, vault-1.10 and above","description_kind":"plain","required":true},"type":{"type":"string","description":"Key type, choices:\nrsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521","description_kind":"plain","required":true}},"description":"Set of allowed public key types and their relevant configuration","description_kind":"plain"}}},"description_kind":"plain"}},"vault_terraform_cloud_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Terraform Cloud instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault Terraform Cloud mount to configure","description_kind":"plain","optional":true},"base_path":{"type":"string","description":"Specifies the base path for the Terraform Cloud or Enterprise API.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Terraform Cloud access token to use.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_creds":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Terraform Cloud secret backend to generate tokens from","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_id":{"type":"string","description":"Associated Vault lease ID, if one exists","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","computed":true},"token":{"type":"string","description":"Terraform Token provided by the Vault backend","description_kind":"plain","computed":true,"sensitive":true},"token_id":{"type":"string","description":"ID of the Terraform Token provided","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Terraform Cloud Secret Backend the role belongs to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum allowed lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Terraform Cloud credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","optional":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"Default lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"user_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise user (e.g., user-xxxxxxxxxxxxxxxx)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token":{"version":0,"block":{"attributes":{"client_token":{"type":"string","description":"The client token.","description_kind":"plain","computed":true,"sensitive":true},"display_name":{"type":"string","description":"The display name of the token.","description_kind":"plain","optional":true},"explicit_max_ttl":{"type":"string","description":"The explicit max TTL of the token.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"The token lease duration.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The token lease started on.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the token.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_default_policy":{"type":"bool","description":"Flag to disable the default policy.","description_kind":"plain","optional":true},"no_parent":{"type":"bool","description":"Flag to create a token without parent.","description_kind":"plain","optional":true,"computed":true},"num_uses":{"type":"number","description":"The number of allowed uses of the token.","description_kind":"plain","optional":true,"computed":true},"period":{"type":"string","description":"The period of the token.","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"List of policies.","description_kind":"plain","optional":true},"renew_increment":{"type":"number","description":"The renew increment.","description_kind":"plain","optional":true},"renew_min_lease":{"type":"number","description":"The minimum lease to renew token.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Flag to allow the token to be renewed","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"The token role name.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL period of the token.","description_kind":"plain","optional":true},"wrapped_token":{"type":"string","description":"The client wrapped token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_accessor":{"type":"string","description":"The client wrapping accessor.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL period of the wrapped token.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_entity_aliases":{"type":["set","string"],"description":"Set of allowed entity aliases for this role.","description_kind":"plain","optional":true},"allowed_policies":{"type":["set","string"],"description":"List of allowed policies for given role.","description_kind":"plain","optional":true},"allowed_policies_glob":{"type":["set","string"],"description":"Set of allowed policies with glob match for given role.","description_kind":"plain","optional":true},"disallowed_policies":{"type":["set","string"],"description":"List of disallowed policies for given role.","description_kind":"plain","optional":true},"disallowed_policies_glob":{"type":["set","string"],"description":"Set of disallowed policies with glob match for given role.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"orphan":{"type":"bool","description":"If true, tokens created against this policy will be orphan tokens.","description_kind":"plain","optional":true},"path_suffix":{"type":"string","description":"Tokens created against this role will have the given suffix as part of their path in addition to the role name.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Whether to disable the ability of the token to be renewed past its initial TTL.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_alphabet":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"A string of characters that contains the alphabet set.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the alphabet.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_transform_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"transformations":{"type":["list","string"],"description":"A comma separated string or slice of transformations to use.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_template":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"The alphabet to use for this template. This is only used during FPE transformations.","description_kind":"plain","optional":true},"decode_formats":{"type":["map","string"],"description":"The map of regular expression templates used to customize decoded outputs.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"encode_format":{"type":"string","description":"The regular expression template used for encoding values.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the template.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"pattern":{"type":"string","description":"The pattern used for matching. Currently, only regular expression pattern is supported.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The pattern type to use for match detection. Currently, only regex is supported.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_transformation":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"The set of roles allowed to perform this transformation.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"masking_character":{"type":"string","description":"The character used to replace data when in masking mode","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the transformation.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"template":{"type":"string","description":"The name of the template to use.","description_kind":"plain","optional":true},"templates":{"type":["list","string"],"description":"Templates configured for transformation.","description_kind":"plain","optional":true,"computed":true},"tweak_source":{"type":"string","description":"The source of where the tweak value comes from. Only valid when in FPE mode.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of transformation to perform.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_backend_key":{"version":0,"block":{"attributes":{"allow_plaintext_backup":{"type":"bool","description":"If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"auto_rotate_interval":{"type":"number","description":"Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"auto_rotate_period":{"type":"number","description":"Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"convergent_encryption":{"type":"bool","description":"Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"Specifies if the key is allowed to be deleted.","description_kind":"plain","optional":true},"derived":{"type":"bool","description":"Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.","description_kind":"plain","optional":true},"exportable":{"type":"bool","description":"Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_size":{"type":"number","description":"The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512.","description_kind":"plain","optional":true},"keys":{"type":["list",["map","string"]],"description":"List of key versions in the keyring.","description_kind":"plain","computed":true},"latest_version":{"type":"number","description":"Latest key version in use in the keyring","description_kind":"plain","computed":true},"min_available_version":{"type":"number","description":"Minimum key version available for use.","description_kind":"plain","computed":true},"min_decryption_version":{"type":"number","description":"Minimum key version to use for decryption.","description_kind":"plain","optional":true},"min_encryption_version":{"type":"number","description":"Minimum key version to use for encryption","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the encryption key to create.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"supports_decryption":{"type":"bool","description":"Whether or not the key supports decryption, based on key type.","description_kind":"plain","computed":true},"supports_derivation":{"type":"bool","description":"Whether or not the key supports derivation, based on key type.","description_kind":"plain","computed":true},"supports_encryption":{"type":"bool","description":"Whether or not the key supports encryption, based on key type.","description_kind":"plain","computed":true},"supports_signing":{"type":"bool","description":"Whether or not the key supports signing, based on key type.","description_kind":"plain","computed":true},"type":{"type":"string","description":"Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_cache_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"size":{"type":"number","description":"Number of cache entries. A size of 0 mean unlimited.","description_kind":"plain","required":true}},"description_kind":"plain"}}},"data_source_schemas":{"vault_ad_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"AD Secret Backend to read credentials from.","description_kind":"plain","required":true},"current_password":{"type":"string","description":"Password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the service account.","description_kind":"plain","computed":true}},"description_kind":"plain","deprecated":true}},"vault_approle_auth_backend_role_id":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend.","description_kind":"plain","computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration in seconds","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint.","description_kind":"plain","computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration in seconds","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The auth backend mount point.","description_kind":"plain","required":true},"type":{"type":"string","description":"The name of the auth backend.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_auth_backends":{"version":0,"block":{"attributes":{"accessors":{"type":["list","string"],"description":"The accessors of the auth backends.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"The auth backend mount points.","description_kind":"plain","computed":true},"type":{"type":"string","description":"The type of the auth backend.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region the read credentials belong to.","description_kind":"plain","optional":true},"role":{"type":"string","description":"AWS Secret Role to read credentials from.","description_kind":"plain","required":true},"role_arn":{"type":"string","description":"ARN to use if multiple are available in the role. Required if the role has multiple ARNs.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"security_token":{"type":"string","description":"AWS security token read from Vault. (Only returned if type is 'sts').","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"User specified Time-To-Live for the STS token. Uses the Role defined default_sts_ttl when not specified","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of credentials to read. Must be either 'creds' for Access Key and Secret Key, or 'sts' for STS.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_static_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Azure Secret Backend to read credentials from.","description_kind":"plain","required":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs.","description_kind":"plain","computed":true,"sensitive":true},"environment":{"type":"string","description":"The Azure environment to use during credential validation.\nDefaults to the environment configured in the Vault backend.\nSome possible values: AzurePublicCloud, AzureUSGovernmentCloud","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"max_cred_validation_seconds":{"type":"number","description":"If 'validate_creds' is true, the number of seconds after which to give up validating credentials.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"num_seconds_between_tests":{"type":"number","description":"If 'validate_creds' is true, the number of seconds to wait between each test of generated credentials.","description_kind":"plain","optional":true},"num_sequential_successes":{"type":"number","description":"If 'validate_creds' is true, the number of sequential successes required to validate generated credentials.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Azure Secret Role to read credentials from.","description_kind":"plain","required":true},"subscription_id":{"type":"string","description":"The subscription ID to use during credential validation. Defaults to the subscription ID configured in the Vault backend","description_kind":"plain","optional":true},"tenant_id":{"type":"string","description":"The tenant ID to use during credential validation. Defaults to the tenant ID configured in the Vault backend","description_kind":"plain","optional":true},"validate_creds":{"type":"bool","description":"Whether generated credentials should be validated before being returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the GCP auth role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path from which a secret will be read.","description_kind":"plain","required":true},"version":{"type":"number","description_kind":"plain","optional":true},"with_lease_start_time":{"type":"bool","description":"If set to true, stores 'lease_start_time' in the TF state.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"aliases":{"type":["set",["object",{"canonical_id":"string","creation_time":"string","id":"string","last_update_time":"string","merged_from_canonical_ids":["set","string"],"metadata":["map","string"],"mount_accessor":"string","mount_path":"string","mount_type":"string","name":"string"}]],"description_kind":"plain","computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Entity data from Vault in JSON String form","description_kind":"plain","computed":true},"direct_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"disabled":{"type":"bool","description_kind":"plain","computed":true},"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","optional":true,"computed":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inherited_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"merged_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_group":{"version":1,"block":{"attributes":{"alias_canonical_id":{"type":"string","description_kind":"plain","computed":true},"alias_creation_time":{"type":"string","description_kind":"plain","computed":true},"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_last_update_time":{"type":"string","description_kind":"plain","computed":true},"alias_merged_from_canonical_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"alias_metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_mount_path":{"type":"string","description_kind":"plain","computed":true},"alias_mount_type":{"type":"string","description_kind":"plain","computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Group data from Vault in JSON String form","description_kind":"plain","computed":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","optional":true,"computed":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"member_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"member_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"modify_index":{"type":"number","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"parent_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_client_creds":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_openid_config":{"version":0,"block":{"attributes":{"authorization_endpoint":{"type":"string","description":"The Authorization Endpoint for the provider.","description_kind":"plain","computed":true},"grant_types_supported":{"type":["list","string"],"description":"The grant types supported by the provider.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_signing_alg_values_supported":{"type":["list","string"],"description":"The signing algorithms supported by the provider.","description_kind":"plain","computed":true},"issuer":{"type":"string","description":"The URL of the issuer for the provider.","description_kind":"plain","computed":true},"jwks_uri":{"type":"string","description":"The well known keys URI for the provider.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"request_uri_parameter_supported":{"type":"bool","description":"Specifies whether Request URI Parameter is supported by the provider.","description_kind":"plain","computed":true},"response_types_supported":{"type":["list","string"],"description":"The response types supported by the provider.","description_kind":"plain","computed":true},"scopes_supported":{"type":["list","string"],"description":"The scopes supported by the provider.","description_kind":"plain","computed":true},"subject_types_supported":{"type":["list","string"],"description":"The subject types supported by the provider.","description_kind":"plain","computed":true},"token_endpoint":{"type":"string","description":"The Token Endpoint for the provider.","description_kind":"plain","computed":true},"token_endpoint_auth_methods_supported":{"type":["list","string"],"description":"The token endpoint auth methods supported by the provider.","description_kind":"plain","computed":true},"userinfo_endpoint":{"type":"string","description":"The User Info Endpoint for the provider.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_public_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"keys":{"type":["list",["map","string"]],"description":"The public portion of keys for an OIDC provider. Clients can use them to validate the authenticity of an identity token.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true,"computed":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Method used for generating identity aliases.","description_kind":"plain","computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to \"*\" all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","computed":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to \"*\" all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_service_account_token":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Kubernetes secret backend to generate service account tokens from.","description_kind":"plain","required":true},"cluster_role_binding":{"type":"bool","description":"If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_namespace":{"type":"string","description":"The name of the Kubernetes namespace in which to generate the credentials.","description_kind":"plain","required":true},"lease_duration":{"type":"number","description":"The duration of the lease in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"The lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The name of the service account associated with the token.","description_kind":"plain","computed":true},"service_account_namespace":{"type":"string","description":"The Kubernetes namespace that the service account resides in.","description_kind":"plain","computed":true},"service_account_token":{"type":"string","description":"The Kubernetes service account token.","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_subkeys_v2":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Subkeys stored as a map of strings.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"Subkeys for the KV-V2 secret read from Vault.","description_kind":"plain","computed":true},"depth":{"type":"number","description":"Specifies the deepest nesting level to provide in the output.If non-zero, keys that reside at the specified depth value will be artificially treated as leaves and will thus be 'null' even if further underlying sub-keys exist.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Specifies the version to return. If not set the latest version is returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"created_time":{"type":"string","description":"Time at which the secret was created","description_kind":"plain","computed":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata for the secret","description_kind":"plain","computed":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"deletion_time":{"type":"string","description":"Deletion time for the secret","description_kind":"plain","computed":true},"destroyed":{"type":"bool","description":"Indicates whether the secret has been destroyed","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KVV2 secret is written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Version of the secret to retrieve","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secrets_list":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full KV-V1 path where secrets will be listed.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secrets_list_v2":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full named path of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","optional":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secrets are listed.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ldap_dynamic_credentials":{"version":0,"block":{"attributes":{"distinguished_names":{"type":["list","string"],"description":"List of the distinguished names (DN) created.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"LDAP Secret Backend to read credentials from.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Password for the dynamic role.","description_kind":"plain","computed":true,"sensitive":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the dynamic role.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ldap_static_credentials":{"version":0,"block":{"attributes":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage password rotation for.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the static role.","description_kind":"plain","computed":true,"sensitive":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this static role's password.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"LDAP Secret Backend to read credentials from.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Password for the static role.","description_kind":"plain","computed":true,"sensitive":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","computed":true},"ttl":{"type":"number","description":"Duration in seconds after which the issued credential should expire.","description_kind":"plain","computed":true},"username":{"type":"string","description":"Name of the static role.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_nomad_access_token":{"version":0,"block":{"attributes":{"accessor_id":{"type":"string","description":"The public identifier for a specific token. It can be used to look up information about a token or to revoke a token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Nomad secret backend to generate tokens from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"Used to make requests to Nomad and should be kept private.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuer":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_id":{"type":"string","description":"ID of the issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Name of the issuer.","description_kind":"plain","computed":true},"issuer_ref":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","required":true},"key_id":{"type":"string","description":"ID of the key used by the issuer.","description_kind":"plain","computed":true},"leaf_not_after_behavior":{"type":"string","description":"Behavior of a leaf's NotAfter field during issuance.","description_kind":"plain","computed":true},"manual_chain":{"type":["list","string"],"description":"Chain of issuer references to build this issuer's computed CAChain field from, when non-empty","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"usage":{"type":"string","description":"Allowed usages for this issuer.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuers":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_info":{"type":["map","string"],"description":"Map of issuer strings read from Vault.","description_kind":"plain","computed":true},"key_info_json":{"type":"string","description":"JSON-encoded key info data read from Vault.","description_kind":"plain","computed":true},"keys":{"type":["list","string"],"description":"Keys used by issuers under the backend path.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_key":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id":{"type":"string","description":"ID of the key used.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","computed":true},"key_ref":{"type":"string","description":"Reference to an existing key.","description_kind":"plain","required":true},"key_type":{"type":"string","description":"Type of the key.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_keys":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_info":{"type":["map","string"],"description":"Map of key strings read from Vault.","description_kind":"plain","computed":true},"key_info_json":{"type":"string","description":"JSON-encoded key data read from Vault.","description_kind":"plain","computed":true},"keys":{"type":["list","string"],"description":"Keys used under the backend path.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_policy_document":{"version":0,"block":{"attributes":{"hcl":{"type":"string","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"rule":{"nesting_mode":"list","block":{"attributes":{"capabilities":{"type":["list","string"],"description_kind":"plain","required":true},"description":{"type":"string","description_kind":"plain","optional":true},"max_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"min_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","required":true},"required_parameters":{"type":["list","string"],"description_kind":"plain","optional":true}},"block_types":{"allowed_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}},"denied_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}}},"description":"The policy rule","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot_state":{"version":0,"block":{"attributes":{"failure_tolerance":{"type":"number","description":"How many nodes could fail before the cluster becomes unhealthy","description_kind":"plain","computed":true},"healthy":{"type":"bool","description":"Health status","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"leader":{"type":"string","description":"Current leader of Vault","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"optimistic_failure_tolerance":{"type":"number","description":"The cluster-level optimistic failure tolerance.","description_kind":"plain","computed":true},"redundancy_zones":{"type":["map","string"],"description":"Additional output related to redundancy zones stored as a map of strings.","description_kind":"plain","computed":true},"redundancy_zones_json":{"type":"string","description":"Subkeys for the redundancy zones read from Vault.","description_kind":"plain","computed":true},"servers":{"type":["map","string"],"description":"Additional output related to servers stored as a map of strings.","description_kind":"plain","computed":true},"servers_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"upgrade_info":{"type":["map","string"],"description":"Additional output related to upgrade info stored as a map of strings.","description_kind":"plain","computed":true},"upgrade_info_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"voters":{"type":["list","string"],"description":"The voters in the Vault cluster.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_transform_decode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be decoded in a single batch. If this parameter is set, the top-level parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of decoding batch_input.","description_kind":"plain","optional":true,"computed":true},"decoded_value":{"type":"string","description":"The result of decoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to decode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_encode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be encoded in a single batch. If this parameter is set, the parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of encoding batch_input.","description_kind":"plain","optional":true,"computed":true},"encoded_value":{"type":"string","description":"The result of encoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to encode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_decrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","required":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the decryption key to use.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Decrypted plain text","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_transit_encrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","computed":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the encryption key to use.","description_kind":"plain","required":true},"key_version":{"type":"number","description":"The version of the key to use for encryption","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Map of strings read from Vault.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}}}}}} +{"format_version":"1.0","provider_schemas":{"registry.terraform.io/hashicorp/vault":{"provider":{"version":0,"block":{"attributes":{"add_address_to_env":{"type":"string","description":"If true, adds the value of the `address` argument to the Terraform process environment.","description_kind":"plain","optional":true},"address":{"type":"string","description":"URL of the root of the target Vault server.","description_kind":"plain","required":true},"ca_cert_dir":{"type":"string","description":"Path to directory containing CA certificate files to validate the server's certificate.","description_kind":"plain","optional":true},"ca_cert_file":{"type":"string","description":"Path to a CA certificate file to validate the server's certificate.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum TTL for secret leases requested by this provider.","description_kind":"plain","optional":true},"max_retries":{"type":"number","description":"Maximum number of retries when a 5xx error code is encountered.","description_kind":"plain","optional":true},"max_retries_ccc":{"type":"number","description":"Maximum number of retries for Client Controlled Consistency related operations","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The namespace to use. Available only for Vault Enterprise.","description_kind":"plain","optional":true},"set_namespace_from_token":{"type":"bool","description":"In the case where the Vault token is for a specific namespace and the provider namespace is not configured, use the token namespace as the root namespace for all resources.","description_kind":"plain","optional":true},"skip_child_token":{"type":"bool","description":"Set this to true to prevent the creation of ephemeral child token used by this provider.","description_kind":"plain","optional":true},"skip_get_vault_version":{"type":"bool","description":"Skip the dynamic fetching of the Vault server version.","description_kind":"plain","optional":true},"skip_tls_verify":{"type":"bool","description":"Set this to true only if the target Vault server is an insecure development instance.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"Name to use as the SNI host when connecting via TLS.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Token to use to authenticate to Vault.","description_kind":"plain","optional":true},"token_name":{"type":"string","description":"Token name to use for creating the Vault child token.","description_kind":"plain","optional":true},"vault_version_override":{"type":"string","description":"Override the Vault server version, which is normally determined dynamically from the target Vault server","description_kind":"plain","optional":true}},"block_types":{"auth_login":{"nesting_mode":"list","block":{"attributes":{"method":{"type":"string","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"parameters":{"type":["map","string"],"description_kind":"plain","optional":true,"sensitive":true},"path":{"type":"string","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault with an existing auth method using auth/\u003cmount\u003e/login","description_kind":"plain"},"max_items":1},"auth_login_aws":{"nesting_mode":"list","block":{"attributes":{"aws_access_key_id":{"type":"string","description":"The AWS access key ID.","description_kind":"plain","optional":true},"aws_iam_endpoint":{"type":"string","description":"The IAM endpoint URL.","description_kind":"plain","optional":true},"aws_profile":{"type":"string","description":"The name of the AWS profile.","description_kind":"plain","optional":true},"aws_region":{"type":"string","description":"The AWS region.","description_kind":"plain","optional":true},"aws_role_arn":{"type":"string","description":"The ARN of the AWS Role to assume.Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_role_session_name":{"type":"string","description":"Specifies the name to attach to the AWS role session. Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"The AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"The AWS session token.","description_kind":"plain","optional":true},"aws_shared_credentials_file":{"type":"string","description":"Path to the AWS shared credentials file.","description_kind":"plain","optional":true},"aws_sts_endpoint":{"type":"string","description":"The STS endpoint URL.","description_kind":"plain","optional":true},"aws_web_identity_token_file":{"type":"string","description":"Path to the file containing an OAuth 2.0 access token or OpenID Connect ID token.","description_kind":"plain","optional":true},"header_value":{"type":"string","description":"The Vault header value to include in the STS signing request.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"The Vault role to use when logging into Vault.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the AWS method","description_kind":"plain"},"max_items":1},"auth_login_azure":{"nesting_mode":"list","block":{"attributes":{"client_id":{"type":"string","description":"The identity's client ID.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token. If not specified on will be created automatically","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"resource_group_name":{"type":"string","description":"The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"scope":{"type":"string","description":"The scopes to include in the token request.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"Provides the tenant ID to use in a multi-tenant authentication scenario.","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"vm_name":{"type":"string","description":"The virtual machine name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true},"vmss_name":{"type":"string","description":"The virtual machine scale set name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true}},"description":"Login to vault using the azure method","description_kind":"plain"},"max_items":1},"auth_login_cert":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","required":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the certificate's role","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the cert method","description_kind":"plain"},"max_items":1},"auth_login_gcp":{"nesting_mode":"list","block":{"attributes":{"credentials":{"type":"string","description":"Path to the Google Cloud credentials file.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"service_account":{"type":"string","description":"IAM service account.","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the gcp method","description_kind":"plain"},"max_items":1},"auth_login_jwt":{"nesting_mode":"list","block":{"attributes":{"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the jwt method","description_kind":"plain"},"max_items":1},"auth_login_kerberos":{"nesting_mode":"list","block":{"attributes":{"disable_fast_negotiation":{"type":"bool","description":"Disable the Kerberos FAST negotiation.","description_kind":"plain","optional":true},"keytab_path":{"type":"string","description":"The Kerberos keytab file containing the entry of the login entity.","description_kind":"plain","optional":true},"krb5conf_path":{"type":"string","description":"A valid Kerberos configuration file e.g. /etc/krb5.conf.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"realm":{"type":"string","description":"The Kerberos server's authoritative authentication domain","description_kind":"plain","optional":true},"remove_instance_name":{"type":"bool","description":"Strip the host from the username found in the keytab.","description_kind":"plain","optional":true},"service":{"type":"string","description":"The service principle name.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to login into Kerberos with.","description_kind":"plain","optional":true}},"description":"Login to vault using the kerberos method","description_kind":"plain"},"max_items":1},"auth_login_oci":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Authentication type to use when getting OCI credentials.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the OCI method","description_kind":"plain"},"max_items":1},"auth_login_oidc":{"nesting_mode":"list","block":{"attributes":{"callback_address":{"type":"string","description":"The callback address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"callback_listener_address":{"type":"string","description":"The callback listener's address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the oidc method","description_kind":"plain"},"max_items":1},"auth_login_radius":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"password":{"type":"string","description":"The Radius password for username.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"The Radius username.","description_kind":"plain","required":true}},"description":"Login to vault using the radius method","description_kind":"plain"},"max_items":1},"auth_login_token_file":{"nesting_mode":"list","block":{"attributes":{"filename":{"type":"string","description":"The name of a file containing a single line that is a valid Vault token","description_kind":"plain","required":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using ","description_kind":"plain"},"max_items":1},"auth_login_userpass":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"password":{"type":"string","description":"Login with password","description_kind":"plain","optional":true},"password_file":{"type":"string","description":"Login with password from a file","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"Login with username","description_kind":"plain","required":true}},"description":"Login to vault using the userpass method","description_kind":"plain"},"max_items":1},"client_auth":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","optional":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","optional":true}},"description":"Client authentication credentials.","description_kind":"plain","deprecated":true},"max_items":1},"headers":{"nesting_mode":"list","block":{"attributes":{"name":{"type":"string","description":"The header name","description_kind":"plain","required":true},"value":{"type":"string","description":"The header value","description_kind":"plain","required":true}},"description":"The headers to send with each Vault request.","description_kind":"plain"}}},"description_kind":"plain"}},"resource_schemas":{"vault_ad_secret_backend":{"version":1,"block":{"attributes":{"anonymous_group_search":{"type":"bool","description":"Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for a backend, for example, the path given in \"$ vault auth enable -path=my-ad ad\".","description_kind":"plain","optional":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description":"If true, case sensitivity will be used when comparing usernames and groups for matching policies.","description_kind":"plain","optional":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"deny_null_bind":{"type":"bool","description":"Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description":"Use anonymous bind to discover the bind DN of a user.","description_kind":"plain","optional":true},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by \u003cgroupfilter\u003e in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn","description_kind":"plain","optional":true},"groupdn":{"type":"string","description":"LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)","description_kind":"plain","optional":true},"groupfilter":{"type":"string","description":"Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"last_rotation_tolerance":{"type":"number","description":"The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"In seconds, the maximum password time-to-live.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description":"Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true},"use_pre111_group_cn_behavior":{"type":"bool","description":"In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.","description_kind":"plain","optional":true,"computed":true},"use_token_groups":{"type":"bool","description":"If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.","description_kind":"plain","optional":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain","deprecated":true}},"vault_ad_secret_library":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time, in seconds, a check-out last with renewal before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set. These service accounts must already exist in Active Directory.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The amount of time, in seconds, a single check-out lasts before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain","deprecated":true}},"vault_ad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this service account's password.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_last_set":{"type":"string","description":"Last time Vault set this service account's password.","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The username/logon name for the service account with which this role will be associated.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true}},"description_kind":"plain","deprecated":true}},"vault_alicloud_auth_backend_role":{"version":0,"block":{"attributes":{"arn":{"type":"string","description":"The role's arn.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Auth backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role. Must correspond with the name of the role reflected in the arn.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor for the token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"How long the token is valid for.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The timestamp the lease started on, as determined by the machine running Terraform.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with the token.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies set on the token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"Whether the token is renewable or not.","description_kind":"plain","computed":true},"role_id":{"type":"string","description":"The RoleID to log in with.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to log in with.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bind_secret_id":{"type":"bool","description":"Whether or not to require secret_id to be present when logging in using this AppRole.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role. Autogenerated if not set.","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id_bound_cidrs":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the AppRole.","description_kind":"plain","optional":true},"secret_id_num_uses":{"type":"number","description":"Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses.","description_kind":"plain","optional":true},"secret_id_ttl":{"type":"number","description":"Number of seconds a SecretID remains valid for.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role_secret_id":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The unique ID used to access this SecretID.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cidr_list":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the SecretID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to be managed. If not specified, Vault auto-generates one.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"with_wrapped_accessor":{"type":"bool","description":"Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping.","description_kind":"plain","optional":true},"wrapping_accessor":{"type":"string","description":"The wrapped SecretID accessor.","description_kind":"plain","computed":true},"wrapping_token":{"type":"string","description":"The wrapped SecretID token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL duration of the wrapped SecretID.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_audit":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"Human-friendly description of the audit device.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Configuration options to pass to the audit device itself.","description_kind":"plain","required":true},"path":{"type":"string","description":"Path in which to enable the audit device.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the audit device, such as 'file'.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_audit_request_header":{"version":0,"block":{"attributes":{"hmac":{"type":"bool","description":"Whether this header's value should be HMAC'd in the audit logs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the request header to audit.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend. This defaults to the type.","description_kind":"plain","optional":true,"computed":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Name of the auth backend","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_auth_backend_cert":{"version":0,"block":{"attributes":{"aws_public_cert":{"type":"string","description":"Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cert_name":{"type":"string","description":"Name of the certificate to configure.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of document that can be verified using the certificate. Must be either \"pkcs7\" or \"identity\".","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_client":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS Access key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS EC2 API calls.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS IAM API calls.","description_kind":"plain","optional":true},"iam_server_id_header_value":{"type":"string","description":"The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"max_retries":{"type":"number","description":"Number of max retries the client should use for recoverable errors.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_arn":{"type":"string","description":"Role ARN to assume for plugin identity token federation.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS Secret key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS STS API calls.","description_kind":"plain","optional":true},"sts_region":{"type":"string","description":"Region to override the default region for making AWS STS API calls.","description_kind":"plain","optional":true},"use_sts_region_from_client":{"type":"bool","description":"If set, will override sts_region and use the region from the client request's header","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_config_identity":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_alias":{"type":"string","description":"Configures how to generate the identity alias when using the ec2 auth method.","description_kind":"plain","optional":true},"ec2_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"iam_alias":{"type":"string","description":"How to generate the identity alias when using the iam auth method.","description_kind":"plain","optional":true},"iam_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_identity_whitelist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the identiy whitelist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor returned from Vault for this token.","description_kind":"plain","computed":true},"auth_type":{"type":"string","description":"The auth method used to generate this token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"AWS Auth Backend to read the token from.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token returned by Vault.","description_kind":"plain","computed":true,"sensitive":true},"iam_http_request_method":{"type":"string","description":"The HTTP method used in the signed request.","description_kind":"plain","optional":true},"iam_request_body":{"type":"string","description":"The Base64-encoded body of the signed request.","description_kind":"plain","optional":true},"iam_request_headers":{"type":"string","description":"The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers.","description_kind":"plain","optional":true},"iam_request_url":{"type":"string","description":"The Base64-encoded HTTP URL used in the signed request.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity":{"type":"string","description":"Base64-encoded EC2 instance identity document to authenticate with.","description_kind":"plain","optional":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"The metadata reported by the Vault server.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"nonce":{"type":"string","description":"The nonce to be used for subsequent login requests.","description_kind":"plain","optional":true,"computed":true},"pkcs7":{"type":"string","description":"PKCS7 signature of the identity document to authenticate with, with all newline characters removed.","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"The policies assigned to this token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"role":{"type":"string","description":"AWS Auth Role to read the token from.","description_kind":"plain","optional":true,"computed":true},"signature":{"type":"string","description":"Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"When true, allows migration of the underlying instance where the client resides. Use with caution.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"The auth type permitted for this role.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_account_ids":{"type":["set","string"],"description":"Only EC2 instances with this account ID in their identity document will be permitted to log in.","description_kind":"plain","optional":true},"bound_ami_ids":{"type":["set","string"],"description":"Only EC2 instances using this AMI ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_ec2_instance_ids":{"type":["set","string"],"description":"Only EC2 instances that match this instance ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_instance_profile_arns":{"type":["set","string"],"description":"Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_principal_arns":{"type":["set","string"],"description":"The IAM principal that must be authenticated using the iam auth method.","description_kind":"plain","optional":true},"bound_iam_role_arns":{"type":["set","string"],"description":"Only EC2 instances that match this IAM role ARN will be permitted to log in.","description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description":"Only EC2 instances in this region will be permitted to log in.","description_kind":"plain","optional":true},"bound_subnet_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this subnet ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_vpc_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this VPC ID will be permitted to log in.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"When true, only allows a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inferred_aws_region":{"type":"string","description":"The region to search for the inferred entities in.","description_kind":"plain","optional":true},"inferred_entity_type":{"type":"string","description":"The type of inferencing Vault should do.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resolve_aws_unique_ids":{"type":"bool","description":"Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_id":{"type":"string","description":"The Vault generated role ID.","description_kind":"plain","computed":true},"role_tag":{"type":"string","description":"The key of the tag on EC2 instance to use for role tags.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role_tag":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"Allows migration of the underlying instance where the client resides.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"AWS auth backend to read tags from.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"Only allow a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"instance_id":{"type":"string","description":"Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of tokens issued using this role.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be associated with the tag.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"tag_key":{"type":"string","description_kind":"plain","computed":true},"tag_value":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_roletag_blacklist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","required":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the roletag blacklist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_sts_role":{"version":0,"block":{"attributes":{"account_id":{"type":"string","description":"AWS account ID to be associated with STS role.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"sts_role":{"type":"string","description":"AWS ARN for STS role to be assumed when interacting with the account specified.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_secret_backend":{"version":1,"block":{"attributes":{"access_key":{"type":"string","description":"The AWS Access Key ID to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"Specifies a custom HTTP IAM endpoint to use.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"region":{"type":"string","description":"The AWS region to make API calls against. Defaults to us-east-1.","description_kind":"plain","optional":true,"computed":true},"role_arn":{"type":"string","description":"Role ARN to assume for plugin identity token federation.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"The AWS Secret Access Key to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"Specifies a custom HTTP STS endpoint to use.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the AWS Secret Backend the role belongs to.","description_kind":"plain","required":true},"credential_type":{"type":"string","description":"Role credential type.","description_kind":"plain","required":true},"default_sts_ttl":{"type":"number","description":"The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"external_id":{"type":"string","description":"External ID to set for assume role creds.","description_kind":"plain","optional":true},"iam_groups":{"type":["set","string"],"description":"A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.","description_kind":"plain","optional":true},"iam_tags":{"type":["map","string"],"description":"A map of strings representing key/value pairs used as tags for any IAM user created by this role.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_sts_ttl":{"type":"number","description":"The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permissions_boundary_arn":{"type":"string","description":"The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.","description_kind":"plain","optional":true},"policy_arns":{"type":["set","string"],"description":"ARN for an existing IAM policy the role should use.","description_kind":"plain","optional":true},"policy_document":{"type":"string","description":"IAM policy the role should use in JSON format.","description_kind":"plain","optional":true},"role_arns":{"type":["set","string"],"description":"ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'","description_kind":"plain","optional":true},"session_tags":{"type":["map","string"],"description":"Session tags to be set for assume role creds created.","description_kind":"plain","optional":true},"user_path":{"type":"string","description":"The path for the user name. Valid only when credential_type is iam_user. Default is /","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path where the AWS secrets backend is mounted.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","required":true},"username":{"type":"string","description":"The username of the existing AWS IAM user to manage password rotation for.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_azure_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resource":{"type":"string","description":"The configured URL for the application registered in Azure Active Directory.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_group_ids":{"type":["list","string"],"description":"The list of group ids that login is restricted to.","description_kind":"plain","optional":true},"bound_locations":{"type":["list","string"],"description":"The list of locations that login is restricted to.","description_kind":"plain","optional":true},"bound_resource_groups":{"type":["list","string"],"description":"The list of resource groups that login is restricted to.","description_kind":"plain","optional":true},"bound_scale_sets":{"type":["list","string"],"description":"The list of scale set names that the login is restricted to.","description_kind":"plain","optional":true},"bound_service_principal_ids":{"type":["list","string"],"description":"The list of Service Principal IDs that login is restricted to.","description_kind":"plain","optional":true},"bound_subscription_ids":{"type":["list","string"],"description":"The list of subscription IDs that login is restricted to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_azure_secret_backend":{"version":1,"block":{"attributes":{"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription id for the Azure Active Directory.","description_kind":"plain","required":true,"sensitive":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true},"use_microsoft_graph_api":{"type":"bool","description":"Use the Microsoft Graph API. Should be set to true on vault-1.10+","description_kind":"plain","deprecated":true,"optional":true,"computed":true}},"description_kind":"plain"}},"vault_azure_secret_backend_role":{"version":0,"block":{"attributes":{"application_object_id":{"type":"string","description":"Application Object ID for an existing service principal that will be used instead of creating dynamic service principals.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permanently_delete":{"type":"bool","description":"Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role to create","description_kind":"plain","required":true},"sign_in_audience":{"type":"string","description":"Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount","description_kind":"plain","optional":true},"tags":{"type":["list","string"],"description":"Comma-separated strings of Azure tags to attach to an application.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true}},"block_types":{"azure_groups":{"nesting_mode":"set","block":{"attributes":{"group_name":{"type":"string","description_kind":"plain","required":true},"object_id":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"azure_roles":{"nesting_mode":"set","block":{"attributes":{"role_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"scope":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_cert_auth_backend_role":{"version":1,"block":{"attributes":{"allowed_common_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_dns_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_email_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_organizational_units":{"type":["set","string"],"description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"certificate":{"type":"string","description_kind":"plain","required":true},"display_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_ca_certificates":{"type":"string","description":"Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data.","description_kind":"plain","optional":true},"ocsp_enabled":{"type":"bool","description":"If enabled, validate certificates' revocation status using OCSP.","description_kind":"plain","optional":true,"computed":true},"ocsp_fail_open":{"type":"bool","description":"If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked.","description_kind":"plain","optional":true,"computed":true},"ocsp_query_all_servers":{"type":"bool","description":"If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.","description_kind":"plain","optional":true,"computed":true},"ocsp_servers_override":{"type":["set","string"],"description":"A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.","description_kind":"plain","optional":true},"required_extensions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_config_ui_custom_message":{"version":0,"block":{"attributes":{"authenticated":{"type":"bool","description":"A flag indicating whether the custom message is displayed pre-login (false) or post-login (true)","description_kind":"plain","optional":true},"end_time":{"type":"string","description":"The ending time of the active period of the custom message. Can be omitted for non-expiring message","description_kind":"plain","optional":true},"id":{"type":"string","description":"The unique ID for the custom message","description_kind":"plain","computed":true},"message_base64":{"type":"string","description":"The base64-encoded content of the custom message","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"A map containing additional options for the custom message","description_kind":"plain","optional":true},"start_time":{"type":"string","description":"The starting time of the active period of the custom message","description_kind":"plain","required":true},"title":{"type":"string","description":"The title of the custom message","description_kind":"plain","required":true},"type":{"type":"string","description":"The display type of custom message. Allowed values are banner and modal","description_kind":"plain","optional":true}},"block_types":{"link":{"nesting_mode":"set","block":{"attributes":{"href":{"type":"string","description":"The URL of the hyperlink","description_kind":"plain","required":true},"title":{"type":"string","description":"The title of the hyperlink","description_kind":"plain","required":true}},"description":"A block containing a hyperlink associated with the custom message","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_consul_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Consul instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","required":true},"bootstrap":{"type":"bool","description":"Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the Vault Consul mount to configure","description_kind":"plain","optional":true},"scheme":{"type":"string","description":"Specifies the URL scheme to use. Defaults to \"http\".","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Consul token to use when managing or issuing new tokens.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_consul_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Consul Secret Backend the role belongs to.","description_kind":"plain","optional":true},"consul_namespace":{"type":"string","description":"The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+","description_kind":"plain","optional":true,"computed":true},"consul_policies":{"type":["set","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"consul_roles":{"type":["set","string"],"description":"Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Indicates that the token should not be replicated globally and instead be local to the current datacenter.","description_kind":"plain","optional":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Consul credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"node_identities":{"type":["set","string"],"description":"Set of Consul node identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.8+","description_kind":"plain","optional":true},"partition":{"type":"string","description":"The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+","description_kind":"plain","optional":true,"computed":true},"policies":{"type":["list","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"service_identities":{"type":["set","string"],"description":"Set of Consul service identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.5+","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"Specifies the TTL for this role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_connection":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault mount to configure.","description_kind":"plain","required":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"},"max_items":1},"couchbase":{"nesting_mode":"list","block":{"attributes":{"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"},"max_items":1},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"},"max_items":1},"hana":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"},"max_items":1},"influxdb":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodb":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mssql":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"},"max_items":1},"oracle":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disconnect_sessions":{"type":"bool","description":"Set to true to disconnect any open sessions prior to running the revocation statements.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"split_statements":{"type":"bool","description":"Set to true in order to split statements after semi-colons.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"},"max_items":1},"postgresql":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redshift":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"},"max_items":1},"snowflake":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_database_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"creation_statements":{"type":["list","string"],"description":"Database statements to execute to create and configure a user.","description_kind":"plain","required":true},"credential_config":{"type":["map","string"],"description":"Specifies the configuration for the given credential_type.","description_kind":"plain","optional":true},"credential_type":{"type":"string","description":"Specifies the type of credential that will be generated for the role.","description_kind":"plain","optional":true,"computed":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Default TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"renew_statements":{"type":["list","string"],"description":"Database statements to execute to renew a user.","description_kind":"plain","optional":true},"revocation_statements":{"type":["list","string"],"description":"Database statements to execute to revoke a user.","description_kind":"plain","optional":true},"rollback_statements":{"type":["list","string"],"description":"Database statements to execute to rollback a create operation in the event of an error.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the static role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"The amount of time Vault should wait before rotating the password, in seconds.","description_kind":"plain","optional":true},"rotation_schedule":{"type":"string","description":"A cron-style string that will define the schedule on which rotations should occur.","description_kind":"plain","optional":true},"rotation_statements":{"type":["list","string"],"description":"Database statements to execute to rotate the password for the configured database user.","description_kind":"plain","optional":true},"rotation_window":{"type":"number","description":"The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The database username that this role corresponds to.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_database_secrets_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"allowed_response_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"delegated_auth_accessors":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"engine_count":{"type":"number","description":"Total number of database secret engines configured under the mount.","description_kind":"plain","computed":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_key":{"type":"string","description":"The key to use for signing plugin workload identity tokens","description_kind":"plain","optional":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"passthrough_request_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"plugin_version":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'","description_kind":"plain","optional":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"}},"couchbase":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"}},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"}},"hana":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"}},"influxdb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"}},"mongodb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"}},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"}},"mssql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"}},"mysql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"}},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"}},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"}},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"}},"oracle":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disconnect_sessions":{"type":"bool","description":"Set to true to disconnect any open sessions prior to running the revocation statements.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"split_statements":{"type":"bool","description":"Set to true in order to split statements after semi-colons.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"}},"postgresql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"}},"redis":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"}},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"}},"redshift":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"}},"snowflake":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_egp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"List of paths to which the policy will be applied","description_kind":"plain","required":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"client_email":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"credentials":{"type":"string","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value for plugin identity tokens.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated tokens.","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"private_key_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"project_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Service Account to impersonate for plugin workload identity federation.","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"block_types":{"custom_endpoint":{"nesting_mode":"list","block":{"attributes":{"api":{"type":"string","description":"Replaces the service endpoint used in API requests to https://www.googleapis.com.","description_kind":"plain","optional":true},"compute":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.","description_kind":"plain","optional":true},"crm":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.","description_kind":"plain","optional":true},"iam":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.","description_kind":"plain","optional":true}},"description":"Specifies overrides to service endpoints used when making API requests to GCP.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"add_group_aliases":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allow_gce_inference":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_jwt_exp":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_secret_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the created GCP mount.","description_kind":"plain","computed":true},"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value for plugin identity tokens.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated tokens.","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"service_account_email":{"type":"string","description":"Service Account to impersonate for plugin workload identity federation.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_impersonated_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"impersonated_account":{"type":"string","description":"Name of the Impersonated Account to create","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this impersonated account","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) ","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_roleset":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project":{"type":"string","description":"Name of the GCP project that this roleset's service account will belong to.","description_kind":"plain","required":true},"roleset":{"type":"string","description":"Name of the RoleSet to create","description_kind":"plain","required":true},"secret_type":{"type":"string","description":"Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the service account created by Vault for this Roleset","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"},"min_items":1}},"description_kind":"plain"}},"vault_gcp_secret_static_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_type":{"type":"string","description":"Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this static account","description_kind":"plain","computed":true},"static_account":{"type":"string","description":"Name of the Static Account to create","description_kind":"plain","required":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_generic_endpoint":{"version":1,"block":{"attributes":{"data_json":{"type":"string","description":"JSON-encoded data to write.","description_kind":"plain","required":true,"sensitive":true},"disable_delete":{"type":"bool","description":"Don't attempt to delete the path from Vault if true","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the path from Vault if true; drift won't be detected","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ignore_absent_fields":{"type":"bool","description":"When reading, disregard fields not present in data_json","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where to the endpoint that will be written","description_kind":"plain","required":true},"write_data":{"type":["map","string"],"description":"Map of strings returned by write operation","description_kind":"plain","computed":true},"write_data_json":{"type":"string","description":"JSON data returned by write operation","description_kind":"plain","computed":true},"write_fields":{"type":["list","string"],"description":"Top-level fields returned by write to persist in state","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the token from Vault if true; drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Specifies the description of the mount. This overrides the current stored value, if any.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization users must be part of.","description_kind":"plain","required":true},"organization_id":{"type":"number","description":"The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+)","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where the auth backend is mounted","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_github_team":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which team mapping will be configured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this team.","description_kind":"plain","optional":true},"team":{"type":"string","description":"GitHub team name in \"slugified\" format.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_user":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which user mapping will be congigured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this user.","description_kind":"plain","optional":true},"user":{"type":"string","description":"GitHub user name.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked.","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_entity_policies`.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the entity.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the entity to which this is an alias.","description_kind":"plain","required":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata to be associated with this alias.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs toMount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the entity alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_policies":{"version":0,"block":{"attributes":{"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","required":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","computed":true},"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_group":{"version":1,"block":{"attributes":{"external_member_entity_ids":{"type":"bool","description":"Manage member entities externally through `vault_identity_group_member_entity_ids`","description_kind":"plain","optional":true},"external_member_group_ids":{"type":"bool","description":"Manage member groups externally through `vault_identity_group_member_group_ids`","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the group.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of the group, internal or external. Defaults to internal.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the group to which this is an alias.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the group alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_entity_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member entity ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_group_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member group ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_policies":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo","description_kind":"plain","required":true,"sensitive":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo","description_kind":"plain","required":true,"sensitive":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_passcode":{"type":"bool","description":"Require passcode upon MFA validation.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_login_enforcement":{"version":0,"block":{"attributes":{"auth_method_accessors":{"type":["set","string"],"description":"Set of auth method accessor IDs.","description_kind":"plain","optional":true},"auth_method_types":{"type":["set","string"],"description":"Set of auth method types.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_entity_ids":{"type":["set","string"],"description":"Set of identity entity IDs.","description_kind":"plain","optional":true},"identity_group_ids":{"type":["set","string"],"description":"Set of identity group IDs.","description_kind":"plain","optional":true},"mfa_method_ids":{"type":["set","string"],"description":"Set of MFA method UUIDs.","description_kind":"plain","required":true},"name":{"type":"string","description":"Login enforcement name.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API token.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"The base domain to use for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"Only match the primary email for the account.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"The admin URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"A unique identifier of the organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"The IDP URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"The name of the PingID client organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings contents as retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"Use signature value, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"max_validation_attempts":{"type":"number","description":"The maximum number of consecutive failed validation attempts allowed.","description_kind":"plain","optional":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"period":{"type":"number","description":"The length of time in seconds used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true,"computed":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_assignment":{"version":0,"block":{"attributes":{"entity_ids":{"type":["set","string"],"description":"A list of Vault entity IDs.","description_kind":"plain","optional":true},"group_ids":{"type":["set","string"],"description":"A list of Vault group IDs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the assignment.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_client":{"version":0,"block":{"attributes":{"access_token_ttl":{"type":"number","description":"The time-to-live for access tokens obtained by the client.","description_kind":"plain","optional":true,"computed":true},"assignments":{"type":["set","string"],"description":"A list of assignment resources associated with the client.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"client_type":{"type":"string","description":"The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_ttl":{"type":"number","description":"The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key.","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A reference to a named key resource in Vault. This cannot be modified after creation.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"redirect_uris":{"type":["set","string"],"description":"Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.","description_kind":"plain","optional":true},"allowed_client_ids":{"type":["set","string"],"description":"Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If \"*\", all roles are allowed.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often to generate a new signing key in number of seconds","description_kind":"plain","optional":true},"verification_ttl":{"type":"number","description":"Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key_allowed_client_id":{"version":0,"block":{"attributes":{"allowed_client_id":{"type":"string","description":"Role Client ID allowed to use the key for signing.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_provider":{"version":0,"block":{"attributes":{"allowed_client_ids":{"type":["set","string"],"description":"The client IDs that are permitted to use the provider. If empty, no clients are allowed. If \"*\", all clients are allowed.","description_kind":"plain","optional":true},"https_enabled":{"type":"bool","description":"Set to true if the issuer endpoint uses HTTPS.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Specifies what will be used as the 'scheme://host:port' component for the 'iss' claim of ID tokens.This value is computed using the issuer_host and https_enabled fields.","description_kind":"plain","computed":true},"issuer_host":{"type":"string","description":"The host for the issuer. Can be either host or host:port.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"scopes_supported":{"type":["set","string"],"description":"The scopes available for requesting on the provider.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_role":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A configured named key, the key must already exist.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string to use for generating tokens. This may be in string-ified JSON or base64 format.","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"TTL of the tokens generated against the role in number of seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_scope":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"The scope's description.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the scope. The openid scope name is reserved.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the JWT auth backend","description_kind":"plain","computed":true},"bound_issuer":{"type":"string","description":"The value against which to match the iss claim in a JWT","description_kind":"plain","optional":true},"default_role":{"type":"string","description":"The default role to use if none is provided during login","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"jwks_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.","description_kind":"plain","optional":true},"jwks_url":{"type":"string","description":"JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"jwt_supported_algs":{"type":["list","string"],"description":"A list of supported signing algorithms. Defaults to [RS256]","description_kind":"plain","optional":true},"jwt_validation_pubkeys":{"type":["list","string"],"description":"A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. ","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_in_state":{"type":"bool","description":"Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.","description_kind":"plain","optional":true},"oidc_client_id":{"type":"string","description":"Client ID used for OIDC","description_kind":"plain","optional":true},"oidc_client_secret":{"type":"string","description":"Client Secret used for OIDC","description_kind":"plain","optional":true,"sensitive":true},"oidc_discovery_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used","description_kind":"plain","optional":true},"oidc_discovery_url":{"type":"string","description":"The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"oidc_response_mode":{"type":"string","description":"The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.","description_kind":"plain","optional":true},"oidc_response_types":{"type":["list","string"],"description":"The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"provider_config":{"type":["map","string"],"description":"Provider specific handling configuration","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of backend. Can be either 'jwt' or 'oidc'","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_redirect_uris":{"type":["set","string"],"description":"The list of allowed values for redirect_uri during OIDC logins.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_audiences":{"type":["set","string"],"description":"List of aud claims to match against. Any match is sufficient.","description_kind":"plain","optional":true},"bound_claims":{"type":["map","string"],"description":"Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.","description_kind":"plain","optional":true},"bound_claims_type":{"type":"string","description":"How to interpret values in the claims/values map: can be either \"string\" (exact match) or \"glob\" (wildcard match).","description_kind":"plain","optional":true,"computed":true},"bound_subject":{"type":"string","description":"If set, requires that the sub claim matches this value.","description_kind":"plain","optional":true},"claim_mappings":{"type":["map","string"],"description":"Map of claims (keys) to be copied to specified metadata fields (values).","description_kind":"plain","optional":true},"clock_skew_leeway":{"type":"number","description":"The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"disable_bound_claims_parsing":{"type":"bool","description":"Disable bound claim value parsing. Useful when values contain commas.","description_kind":"plain","optional":true},"expiration_leeway":{"type":"number","description":"The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"groups_claim":{"type":"string","description":"The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_age":{"type":"number","description":"Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_leeway":{"type":"number","description":"The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ","description_kind":"plain","optional":true},"oidc_scopes":{"type":["set","string"],"description":"List of OIDC scopes to be used with an OIDC role. The standard scope \"openid\" is automatically included and need not be specified.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_type":{"type":"string","description":"Type of role, either \"oidc\" (default) or \"jwt\"","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"user_claim":{"type":"string","description":"The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.","description_kind":"plain","required":true},"user_claim_json_pointer":{"type":"bool","description":"Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.","description_kind":"plain","optional":true},"verbose_oidc_logging":{"type":"bool","description":"Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_backend":{"version":1,"block":{"attributes":{"default_tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"default_tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"default_tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listen_addrs":{"type":["set","string"],"description":"Addresses the KMIP server should listen on (host:port)","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP secret backend will be mounted","description_kind":"plain","required":true},"server_hostnames":{"type":["set","string"],"description":"Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN)","description_kind":"plain","optional":true,"computed":true},"server_ips":{"type":["set","string"],"description":"IPs to include in the server's TLS certificate as SAN IP addresses","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_bits":{"type":"number","description":"CA key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_type":{"type":"string","description":"CA key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to accept","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kmip_secret_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"operation_activate":{"type":"bool","description":"Grant permission to use the KMIP Activate operation","description_kind":"plain","optional":true,"computed":true},"operation_add_attribute":{"type":"bool","description":"Grant permission to use the KMIP Add Attribute operation","description_kind":"plain","optional":true,"computed":true},"operation_all":{"type":"bool","description":"Grant all permissions to this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_create":{"type":"bool","description":"Grant permission to use the KMIP Create operation","description_kind":"plain","optional":true,"computed":true},"operation_destroy":{"type":"bool","description":"Grant permission to use the KMIP Destroy operation","description_kind":"plain","optional":true,"computed":true},"operation_discover_versions":{"type":"bool","description":"Grant permission to use the KMIP Discover Version operation","description_kind":"plain","optional":true,"computed":true},"operation_get":{"type":"bool","description":"Grant permission to use the KMIP Get operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attribute_list":{"type":"bool","description":"Grant permission to use the KMIP Get Attribute List operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attributes":{"type":"bool","description":"Grant permission to use the KMIP Get Attributes operation","description_kind":"plain","optional":true,"computed":true},"operation_locate":{"type":"bool","description":"Grant permission to use the KMIP Locate operation","description_kind":"plain","optional":true,"computed":true},"operation_none":{"type":"bool","description":"Remove all permissions from this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_register":{"type":"bool","description":"Grant permission to use the KMIP Register operation","description_kind":"plain","optional":true,"computed":true},"operation_rekey":{"type":"bool","description":"Grant permission to use the KMIP Rekey operation","description_kind":"plain","optional":true,"computed":true},"operation_revoke":{"type":"bool","description":"Grant permission to use the KMIP Revoke operation","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true},"tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true},"tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true},"tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_scope":{"version":0,"block":{"attributes":{"force":{"type":"bool","description":"Force deletion even if there are managed objects in the scope","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true},"token_reviewer_jwt":{"type":"string","description":"A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name","description_kind":"plain","optional":true,"computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to `[\"*\"]` all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","required":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"allowed_response_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"delegated_auth_accessors":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_local_ca_jwt":{"type":"bool","description":"Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_key":{"type":"string","description":"The key to use for signing plugin workload identity tokens","description_kind":"plain","optional":true},"kubernetes_ca_cert":{"type":"string","description":"A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set.","description_kind":"plain","optional":true},"kubernetes_host":{"type":"string","description":"The Kubernetes API URL to connect to.","description_kind":"plain","optional":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"passthrough_request_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"plugin_version":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'","description_kind":"plain","optional":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"service_account_jwt":{"type":"string","description":"The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend_role":{"version":0,"block":{"attributes":{"allowed_kubernetes_namespace_selector":{"type":"string","description":"A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.","description_kind":"plain","optional":true},"allowed_kubernetes_namespaces":{"type":["list","string"],"description":"The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for the Kubernetes secrets engine.","description_kind":"plain","required":true},"extra_annotations":{"type":["map","string"],"description":"Additional annotations to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"extra_labels":{"type":["map","string"],"description":"Additional labels to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"generated_role_rules":{"type":"string","description":"The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_role_name":{"type":"string","description":"The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.","description_kind":"plain","optional":true},"kubernetes_role_type":{"type":"string","description":"Specifies whether the Kubernetes role is a Role or ClusterRole.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"name_template":{"type":"string","description":"The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_name":{"type":"string","description":"The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested.","description_kind":"plain","optional":true},"token_default_ttl":{"type":"number","description":"The default TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_backend_v2":{"version":0,"block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true,"computed":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"cas":{"type":"number","description":"This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"If set to true, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"If set to true, disables reading secret from Vault; note: drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with this secret read from Vault.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"An object that holds option settings.","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secret will be written.","description_kind":"plain","computed":true}},"block_types":{"custom_metadata":{"nesting_mode":"list","block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of arbitrary string to string valued user-provided metadata meant to describe the secret.","description_kind":"plain","optional":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted.","description_kind":"plain","optional":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true}},"description":"Custom metadata to be set for the secret.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_ldap_auth_backend":{"version":2,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the LDAP auth backend","description_kind":"plain","computed":true},"binddn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"bindpass":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"certificate":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_cert":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_key":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"deny_null_bind":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description_kind":"plain","optional":true,"computed":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"groupattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"max_page_size":{"type":"number","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"starttls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"upndomain":{"type":"string","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description_kind":"plain","required":true},"use_token_groups":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"username_as_alias":{"type":"bool","description":"Force the auth method to use the username passed by the user as the alias name.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_group":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groupname":{"type":"string","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_user":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"username":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_ldap_secret_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"allowed_response_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"connection_timeout":{"type":"number","description":"Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"delegated_auth_accessors":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_key":{"type":"string","description":"The key to use for signing plugin workload identity tokens","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"passthrough_request_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"plugin_version":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true,"computed":true},"schema":{"type":"string","description":"The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf.","description_kind":"plain","optional":true,"computed":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"skip_static_role_import_rotation":{"type":"bool","description":"Skip rotation of static role secrets on import.","description_kind":"plain","optional":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_dynamic_role":{"version":0,"block":{"attributes":{"creation_ldif":{"type":"string","description":"A templatized LDIF string used to create a user account. May contain multiple entries.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Specifies the TTL for the leases associated with this role.","description_kind":"plain","optional":true},"deletion_ldif":{"type":"string","description":"A templatized LDIF string used to delete the user account once its TTL has expired. This may contain multiple LDIF entries.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Specifies the maximum TTL for the leases associated with this role.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rollback_ldif":{"type":"string","description":"A templatized LDIF string used to attempt to rollback any changes in the event that execution of the creation_ldif results in an error. This may contain multiple LDIF entries.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"A template used to generate a dynamic username. This will be used to fill in the .Username field within the creation_ldif string.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_library_set":{"version":0,"block":{"attributes":{"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time a check-out last with renewal before Vault automatically checks it back in. Defaults to 24 hours.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The maximum amount of time a single check-out lasts before Vault automatically checks it back in. Defaults to 24 hours.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_static_role":{"version":0,"block":{"attributes":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage password rotation for.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","required":true},"skip_import_rotation":{"type":"bool","description":"Skip rotation of the password on import.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username of the existing LDAP entry to manage password rotation for.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_managed_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"aws":{"nesting_mode":"set","block":{"attributes":{"access_key":{"type":"string","description":"The AWS access key to use","description_kind":"plain","required":true},"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"endpoint":{"type":"string","description":"Used to specify a custom AWS endpoint","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"kms_key":{"type":"string","description":"An identifier for the key","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"region":{"type":"string","description":"The AWS region where the keys are stored (or will be stored)","description_kind":"plain","optional":true,"computed":true},"secret_key":{"type":"string","description":"The AWS secret key to use","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for AWS Managed Keys","description_kind":"plain"}},"azure":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs","description_kind":"plain","required":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","required":true},"environment":{"type":"string","description":"The Azure Cloud environment API endpoints to use","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_name":{"type":"string","description":"The Key Vault key to use for encryption and decryption","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"resource":{"type":"string","description":"The Azure Key Vault resource's DNS Suffix to connect to","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true},"vault_name":{"type":"string","description":"The Key Vault vault to use the encryption keys for encryption and decryption","description_kind":"plain","required":true}},"description":"Configuration block for Azure Managed Keys","description_kind":"plain"}},"pkcs":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"force_rw_session":{"type":"string","description":"Force all operations to open up a read-write session to the HSM","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The id of a PKCS#11 key to use","description_kind":"plain","required":true},"key_label":{"type":"string","description":"The label of the key to use","description_kind":"plain","required":true},"library":{"type":"string","description":"The name of the kms_library stanza to use from Vault's config to lookup the local library path","description_kind":"plain","required":true},"mechanism":{"type":"string","description":"The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"pin":{"type":"string","description":"The PIN for login","description_kind":"plain","required":true},"slot":{"type":"string","description":"The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')","description_kind":"plain","optional":true},"token_label":{"type":"string","description":"The slot token label to use","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for PKCS Managed Keys","description_kind":"plain"}}},"description_kind":"plain"}},"vault_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo.","description_kind":"plain","required":true,"sensitive":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo.","description_kind":"plain","required":true,"sensitive":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API key.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"If set, will be used as the base domain for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"If set to true, the username will only match the primary email for the account.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"Admin URL computed by Vault.","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"Authenticator URL computed by Vault.","description_kind":"plain","computed":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"IDP URL computed by Vault.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID computed by Vault.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"Org Alias computed by Vault.","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings file retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of configuration computed by Vault.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"If set, enables use of PingID signature. Computed by Vault","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"period":{"type":"number","description":"The length of time used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_backend":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where MongoDB Atlas configuration is located","description_kind":"plain","computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_role":{"version":0,"block":{"attributes":{"cidr_blocks":{"type":["list","string"],"description":"Whitelist entry in CIDR notation to be added for the API key","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_addresses":{"type":["list","string"],"description":"IP address to be added to the whitelist for the API key","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of credentials issued using this role","description_kind":"plain","optional":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization_id":{"type":"string","description":"ID for the organization to which the target API Key belongs","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"ID for the project to which the target API Key belongs","description_kind":"plain","optional":true},"project_roles":{"type":["list","string"],"description":"Roles assigned when an org API key is assigned to a project API key","description_kind":"plain","optional":true},"roles":{"type":["list","string"],"description":"List of roles that the API Key needs to have","description_kind":"plain","required":true},"ttl":{"type":"string","description":"Duration in seconds after which the issued credential should expire","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"allowed_response_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"delegated_auth_accessors":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_key":{"type":"string","description":"The key to use for signing plugin workload identity tokens","description_kind":"plain","optional":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"passthrough_request_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"plugin_version":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'","description_kind":"plain","optional":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the backend, such as 'aws'","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_namespace":{"version":0,"block":{"attributes":{"custom_metadata":{"type":["map","string"],"description":"Custom metadata describing this namespace. Value type is map[string]string.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID.","description_kind":"plain","computed":true},"path":{"type":"string","description":"Namespace path.","description_kind":"plain","required":true},"path_fq":{"type":"string","description":"The fully qualified namespace path.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Nomad instance, provided as \"protocol://host:port\" like \"http://127.0.0.1:4646\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_token_name_length":{"type":"number","description":"Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Nomad Management token to use.","description_kind":"plain","optional":true,"sensitive":true},"ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","required":true},"global":{"type":"bool","description":"Specifies if the token should be global.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid values are \"client\" or \"management\".","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The Okta url. Examples: oktapreview.com, okta.com (default)","description_kind":"plain","optional":true},"bypass_okta_mfa":{"type":"bool","description":"When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"group":{"type":["set",["object",{"group_name":"string","policies":["set","string"]}]],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Maximum duration after which authentication will be expired","description_kind":"plain","deprecated":true,"optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The Okta organization. This will be the first part of the url https://XXX.okta.com.","description_kind":"plain","required":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"token":{"type":"string","description":"The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled.","description_kind":"plain","optional":true,"sensitive":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Duration after which authentication will be expired","description_kind":"plain","deprecated":true,"optional":true},"user":{"type":["set",["object",{"groups":["set","string"],"policies":["set","string"],"username":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend_group":{"version":0,"block":{"attributes":{"group_name":{"type":"string","description":"Name of the Okta group","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this group","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_okta_auth_backend_user":{"version":0,"block":{"attributes":{"groups":{"type":["set","string"],"description":"Groups within the Okta auth backend to associate with this user","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this user","description_kind":"plain","optional":true},"username":{"type":"string","description":"Name of the user within Okta","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_password_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the password policy.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The password policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_cert":{"version":0,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":"string","description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of the certificate to create.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial_number":{"type":"string","description":"The serial number.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"user_ids":{"type":["list","string"],"description":"List of Subject User IDs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_ca":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_bundle":{"type":"string","description":"The key and certificate PEM bundle.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_cluster":{"version":0,"block":{"attributes":{"aia_path":{"type":"string","description":"Path to the cluster's AIA distribution point.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the cluster's API mount path.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_est":{"version":0,"block":{"attributes":{"audit_fields":{"type":["list","string"],"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to","description_kind":"plain","required":true},"default_mount":{"type":"bool","description":"If set, this mount will register the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster","description_kind":"plain","optional":true},"default_path_policy":{"type":"string","description":"Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:\u003crole_name\u003e","description_kind":"plain","optional":true},"enable_sentinel_parsing":{"type":"bool","description":"If set, parse out fields from the provided CSR making them available for Sentinel policies","description_kind":"plain","optional":true},"enabled":{"type":"bool","description":"Specifies whether EST is enabled","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"label_to_path_policy":{"type":["map","string"],"description":"Configures a pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:\u003crole_name\u003e. Labels must be unique across Vault cluster, and will register .well-known/est/\u003clabel\u003e URL paths","description_kind":"plain","optional":true},"last_updated":{"type":"string","description":"A read-only timestamp representing the last time the configuration was updated","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"authenticators":{"nesting_mode":"list","block":{"attributes":{"cert":{"type":["map","string"],"description_kind":"plain","optional":true},"userpass":{"type":["map","string"],"description_kind":"plain","optional":true}},"description":"Lists the mount accessors EST should delegate authentication requests towards","description_kind":"plain"},"max_items":1}},"description":"Manages Vault PKI EST configuration","description_kind":"plain"}},"vault_pki_secret_backend_config_issuers":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"default":{"type":"string","description":"Specifies the default issuer by ID.","description_kind":"plain","optional":true},"default_follows_latest_issuer":{"type":"bool","description":"Specifies whether a root creation or an issuer import operation updates the default issuer to the newly added issuer.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_urls":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"enable_templating":{"type":"bool","description":"Specifies that templating of AIA fields is allowed.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_crl_config":{"version":0,"block":{"attributes":{"auto_rebuild":{"type":"bool","description":"Enables or disables periodic rebuilding of the CRL upon expiry.","description_kind":"plain","optional":true},"auto_rebuild_grace_period":{"type":"string","description":"Grace period before CRL expiry to attempt rebuild of CRL.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"cross_cluster_revocation":{"type":"bool","description":"Enable cross-cluster revocation request queues.","description_kind":"plain","optional":true,"computed":true},"delta_rebuild_interval":{"type":"string","description":"Interval to check for new revocations on, to regenerate the delta CRL.","description_kind":"plain","optional":true,"computed":true},"disable":{"type":"bool","description":"Disables or enables CRL building","description_kind":"plain","optional":true},"enable_delta":{"type":"bool","description":"Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL.","description_kind":"plain","optional":true},"expiry":{"type":"string","description":"Specifies the time until expiration.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_disable":{"type":"bool","description":"Disables or enables the OCSP responder in Vault.","description_kind":"plain","optional":true},"ocsp_expiry":{"type":"string","description":"The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations.","description_kind":"plain","optional":true,"computed":true},"unified_crl":{"type":"bool","description":"Enables unified CRL and OCSP building.","description_kind":"plain","optional":true,"computed":true},"unified_crl_on_existing_paths":{"type":"bool","description":"Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_cert_request":{"version":0,"block":{"attributes":{"add_basic_constraints":{"type":"bool","description":"Set 'CA: true' in a Basic Constraints extension. Only needed as\na workaround in some compatibility scenarios with Active Directory Certificate Services.","description_kind":"plain","optional":true},"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","computed":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true,"computed":true},"key_ref":{"type":"string","description":"Specifies the key to use for generating this request.","description_kind":"plain","optional":true,"computed":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of intermediate to create. Must be either \"existing\", \"exported\", \"internal\" or \"kms\"","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_set_signed":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"imported_issuers":{"type":["list","string"],"description":"The imported issuers.","description_kind":"plain","computed":true},"imported_keys":{"type":["list","string"],"description":"The imported keys.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuer":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"enable_aia_url_templating":{"type":"bool","description":"Specifies that the AIA URL values should be templated.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_id":{"type":"string","description":"ID of the issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","required":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"leaf_not_after_behavior":{"type":"string","description":"Behavior of a leaf's 'NotAfter' field during issuance.","description_kind":"plain","optional":true,"computed":true},"manual_chain":{"type":["list","string"],"description":"Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true},"revocation_signature_algorithm":{"type":"string","description":"Which signature algorithm to use when building CRLs.","description_kind":"plain","optional":true,"computed":true},"usage":{"type":"string","description":"Comma-separated list of allowed usages for this issuer.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_key":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"Specifies the number of bits to use for the generated keys.","description_kind":"plain","optional":true,"computed":true},"key_id":{"type":"string","description":"ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"Specifies the desired key type; must be 'rsa', 'ed25519' or 'ec'.","description_kind":"plain","optional":true,"computed":true},"managed_key_id":{"type":"string","description":"The managed key's UUID.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The managed key's configured name.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"Specifies the type of the key to create.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_role":{"version":0,"block":{"attributes":{"allow_any_name":{"type":"bool","description":"Flag to allow any name","description_kind":"plain","optional":true},"allow_bare_domains":{"type":"bool","description":"Flag to allow certificates matching the actual domain.","description_kind":"plain","optional":true},"allow_glob_domains":{"type":"bool","description":"Flag to allow names containing glob patterns.","description_kind":"plain","optional":true},"allow_ip_sans":{"type":"bool","description":"Flag to allow IP SANs","description_kind":"plain","optional":true},"allow_localhost":{"type":"bool","description":"Flag to allow certificates for localhost.","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description":"Flag to allow certificates matching subdomains.","description_kind":"plain","optional":true},"allow_wildcard_certificates":{"type":"bool","description":"Flag to allow wildcard certificates","description_kind":"plain","optional":true},"allowed_domains":{"type":["list","string"],"description":"The domains of the role.","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description":"Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true},"allowed_other_sans":{"type":["list","string"],"description":"Defines allowed custom SANs","description_kind":"plain","optional":true},"allowed_serial_numbers":{"type":["list","string"],"description":"Defines allowed Subject serial numbers.","description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["list","string"],"description":"Defines allowed URI SANs","description_kind":"plain","optional":true},"allowed_uri_sans_template":{"type":"bool","description":"Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true,"computed":true},"allowed_user_ids":{"type":["list","string"],"description":"The allowed User ID's.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"basic_constraints_valid_for_non_ca":{"type":"bool","description":"Flag to mark basic constraints valid when issuing non-CA certificates.","description_kind":"plain","optional":true},"client_flag":{"type":"bool","description":"Flag to specify certificates for client use.","description_kind":"plain","optional":true},"code_signing_flag":{"type":"bool","description":"Flag to specify certificates for code signing use.","description_kind":"plain","optional":true},"country":{"type":["list","string"],"description":"The country of generated certificates.","description_kind":"plain","optional":true},"email_protection_flag":{"type":"bool","description":"Flag to specify certificates for email protection use.","description_kind":"plain","optional":true},"enforce_hostnames":{"type":"bool","description":"Flag to allow only valid host names","description_kind":"plain","optional":true},"ext_key_usage":{"type":["list","string"],"description":"Specify the allowed extended key usage constraint on issued certificates.","description_kind":"plain","optional":true},"ext_key_usage_oids":{"type":["list","string"],"description":"A list of extended key usage OIDs.","description_kind":"plain","optional":true},"generate_lease":{"type":"bool","description":"Flag to generate leases with certificates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"The number of bits of generated keys.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"The generated key type.","description_kind":"plain","optional":true},"key_usage":{"type":["list","string"],"description":"Specify the allowed key usage constraint on issued certificates.","description_kind":"plain","optional":true,"computed":true},"locality":{"type":["list","string"],"description":"The locality of generated certificates.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum TTL.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_store":{"type":"bool","description":"Flag to not store certificates in the storage backend.","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.","description_kind":"plain","optional":true,"computed":true},"organization":{"type":["list","string"],"description":"The organization of generated certificates.","description_kind":"plain","optional":true},"ou":{"type":["list","string"],"description":"The organization unit of generated certificates.","description_kind":"plain","optional":true},"policy_identifiers":{"type":["list","string"],"description":"Specify the list of allowed policies OIDs.","description_kind":"plain","optional":true},"postal_code":{"type":["list","string"],"description":"The postal code of generated certificates.","description_kind":"plain","optional":true},"province":{"type":["list","string"],"description":"The province of generated certificates.","description_kind":"plain","optional":true},"require_cn":{"type":"bool","description":"Flag to force CN usage.","description_kind":"plain","optional":true},"server_flag":{"type":"bool","description":"Flag to specify certificates for server use.","description_kind":"plain","optional":true},"street_address":{"type":["list","string"],"description":"The street address of generated certificates.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL.","description_kind":"plain","optional":true,"computed":true},"use_csr_common_name":{"type":"bool","description":"Flag to use the CN in the CSR.","description_kind":"plain","optional":true},"use_csr_sans":{"type":"bool","description":"Flag to use the SANs in the CSR.","description_kind":"plain","optional":true}},"block_types":{"policy_identifier":{"nesting_mode":"set","block":{"attributes":{"cps":{"type":"string","description":"Optional CPS URL","description_kind":"plain","optional":true},"notice":{"type":"string","description":"Optional notice","description_kind":"plain","optional":true},"oid":{"type":"string","description":"OID","description_kind":"plain","required":true}},"description":"Policy identifier block; can only be used with Vault 1.11+","description_kind":"plain"}}},"description_kind":"plain"}},"vault_pki_secret_backend_root_cert":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of root to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_id":{"type":"string","description":"The ID of the generated issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'.","description_kind":"plain","optional":true,"computed":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true,"computed":true},"key_ref":{"type":"string","description":"Specifies the key to use for generating this request.","description_kind":"plain","optional":true,"computed":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of root to create. Must be either \"existing\", \"exported\", \"internal\" or \"kms\"","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_root_sign_intermediate":{"version":2,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The signed intermediate CA certificate.","description_kind":"plain","computed":true},"certificate_bundle":{"type":"string","description":"The concatenation of the intermediate and issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA certificate.","description_kind":"plain","computed":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"use_csr_values":{"type":"bool","description":"Preserve CSR values.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_sign":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_plugin":{"version":0,"block":{"attributes":{"args":{"type":["list","string"],"description":"List of additional arguments to pass to the plugin.","description_kind":"plain","optional":true},"command":{"type":"string","description":"Command to execute the plugin, relative to the plugin_directory.","description_kind":"plain","required":true},"env":{"type":["list","string"],"description":"List of additional environment variables to run the plugin with in KEY=VALUE form.","description_kind":"plain","optional":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the plugin.","description_kind":"plain","required":true},"oci_image":{"type":"string","description":"OCI image to run. If specified, setting command, args, and env will update the container's entrypoint, args, and environment variables (append-only) respectively.","description_kind":"plain","optional":true},"runtime":{"type":"string","description":"Vault plugin runtime to use if oci_image is specified.","description_kind":"plain","optional":true},"sha256":{"type":"string","description":"SHA256 sum of the plugin binary.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of plugin; one of \"auth\", \"secret\", or \"database\".","description_kind":"plain","required":true},"version":{"type":"string","description":"Semantic version of the plugin.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_plugin_pinned_version":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the plugin.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of plugin; one of \"auth\", \"secret\", or \"database\".","description_kind":"plain","required":true},"version":{"type":"string","description":"Semantic pinned plugin version.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_quota_lease_count":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inheritable":{"type":"bool","description":"If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default.","description_kind":"plain","optional":true},"max_leases":{"type":"number","description":"The maximum number of leases to be allowed by the quota rule. The max_leases must be positive.","description_kind":"plain","required":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota.","description_kind":"plain","optional":true},"role":{"type":"string","description":"If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_quota_rate_limit":{"version":0,"block":{"attributes":{"block_interval":{"type":"number","description":"If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inheritable":{"type":"bool","description":"If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default.","description_kind":"plain","optional":true},"interval":{"type":"number","description":"The duration in seconds to enforce rate limiting for.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota.","description_kind":"plain","optional":true},"rate":{"type":"number","description":"The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive.","description_kind":"plain","required":true},"role":{"type":"string","description":"If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend":{"version":1,"block":{"attributes":{"connection_uri":{"type":"string","description":"Specifies the RabbitMQ connection URI.","description_kind":"plain","required":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the RabbitMQ management administrator password","description_kind":"plain","required":true,"sensitive":true},"password_policy":{"type":"string","description":"Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path of the RabbitMQ Secret Backend where the connection should be configured","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the RabbitMQ management administrator username","description_kind":"plain","required":true,"sensitive":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies whether to verify connection URI, username, and password.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Rabbitmq Secret Backend the role belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"tags":{"type":"string","description":"Specifies a comma-separated RabbitMQ management tags.","description_kind":"plain","optional":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"configure":{"type":"string","description":"The configure permissions for this vhost.","description_kind":"plain","required":true},"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}},"vhost_topic":{"nesting_mode":"list","block":{"attributes":{"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"topic":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}}},"description":"Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot":{"version":0,"block":{"attributes":{"cleanup_dead_servers":{"type":"bool","description":"Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set.","description_kind":"plain","optional":true},"dead_server_last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set.","description_kind":"plain","optional":true},"disable_upgrade_migration":{"type":"bool","description":"Disables automatically upgrading Vault using autopilot. (Enterprise-only)","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered unhealthy.","description_kind":"plain","optional":true},"max_trailing_logs":{"type":"number","description":"Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy.","description_kind":"plain","optional":true},"min_quorum":{"type":"number","description":"Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"server_stabilization_time":{"type":"string","description":"Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_raft_snapshot_agent_config":{"version":0,"block":{"attributes":{"aws_access_key_id":{"type":"string","description":"AWS access key ID.","description_kind":"plain","optional":true},"aws_s3_bucket":{"type":"string","description":"S3 bucket to write snapshots to.","description_kind":"plain","optional":true},"aws_s3_disable_tls":{"type":"bool","description":"Disable TLS for the S3 endpoint. This should only be used for testing purposes.","description_kind":"plain","optional":true},"aws_s3_enable_kms":{"type":"bool","description":"Use KMS to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_s3_endpoint":{"type":"string","description":"AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio.","description_kind":"plain","optional":true},"aws_s3_force_path_style":{"type":"bool","description":"Use the endpoint/bucket URL style instead of bucket.endpoint.","description_kind":"plain","optional":true},"aws_s3_kms_key":{"type":"string","description":"Use named KMS key, when aws_s3_enable_kms=true","description_kind":"plain","optional":true},"aws_s3_region":{"type":"string","description":"AWS region bucket is in.","description_kind":"plain","optional":true},"aws_s3_server_side_encryption":{"type":"bool","description":"Use AES256 to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"AWS session token.","description_kind":"plain","optional":true},"azure_account_key":{"type":"string","description":"Azure account key.","description_kind":"plain","optional":true},"azure_account_name":{"type":"string","description":"Azure account name.","description_kind":"plain","optional":true},"azure_blob_environment":{"type":"string","description":"Azure blob environment.","description_kind":"plain","optional":true},"azure_container_name":{"type":"string","description":"Azure container name to write snapshots to.","description_kind":"plain","optional":true},"azure_endpoint":{"type":"string","description":"Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite.","description_kind":"plain","optional":true},"file_prefix":{"type":"string","description":"The file or object name of snapshot files will start with this string.","description_kind":"plain","optional":true},"google_disable_tls":{"type":"bool","description":"Disable TLS for the GCS endpoint.","description_kind":"plain","optional":true},"google_endpoint":{"type":"string","description":"GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server.","description_kind":"plain","optional":true},"google_gcs_bucket":{"type":"string","description":"GCS bucket to write snapshots to.","description_kind":"plain","optional":true},"google_service_account_key":{"type":"string","description":"Google service account key in JSON format.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"interval_seconds":{"type":"number","description":"Number of seconds between snapshots.","description_kind":"plain","required":true},"local_max_space":{"type":"number","description":"The maximum space, in bytes, to use for snapshots.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the snapshot agent configuration.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path_prefix":{"type":"string","description":"The directory or bucket prefix to to use.","description_kind":"plain","required":true},"retain":{"type":"number","description":"How many snapshots are to be kept.","description_kind":"plain","optional":true},"storage_type":{"type":"string","description":"What storage service to send snapshots to. One of \"local\", \"azure-blob\", \"aws-s3\", or \"google-gcs\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_rgp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_saml_auth_backend":{"version":0,"block":{"attributes":{"acs_urls":{"type":["list","string"],"description":"The well-formatted URLs of your Assertion Consumer Service (ACS) that should receive a response from the identity provider.","description_kind":"plain","required":true},"default_role":{"type":"string","description":"The role to use if no role is provided during login.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"entity_id":{"type":"string","description":"The entity ID of the SAML authentication service provider.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_cert":{"type":"string","description":"The PEM encoded certificate of the identity provider. Mutually exclusive with 'idp_metadata_url'","description_kind":"plain","optional":true},"idp_entity_id":{"type":"string","description":"The entity ID of the identity provider. Mutually exclusive with 'idp_metadata_url'.","description_kind":"plain","optional":true},"idp_metadata_url":{"type":"string","description":"The metadata URL of the identity provider.","description_kind":"plain","optional":true},"idp_sso_url":{"type":"string","description":"The SSO URL of the identity provider. Mutually exclusive with 'idp_metadata_url'.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"verbose_logging":{"type":"bool","description":"Log additional, potentially sensitive information during the SAML exchange according to the current logging level. Not recommended for production.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_saml_auth_backend_role":{"version":0,"block":{"attributes":{"bound_attributes":{"type":["map","string"],"description":"Mapping of attribute names to values that are expected to exist in the SAML assertion.","description_kind":"plain","optional":true},"bound_attributes_type":{"type":"string","description":"The type of matching assertion to perform on bound_attributes.","description_kind":"plain","optional":true,"computed":true},"bound_subjects":{"type":["list","string"],"description":"The subject being asserted for SAML authentication.","description_kind":"plain","optional":true},"bound_subjects_type":{"type":"string","description":"The type of matching assertion to perform on bound_subjects.","description_kind":"plain","optional":true,"computed":true},"groups_attribute":{"type":"string","description":"The attribute to use to identify the set of groups to which the user belongs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where SAML Auth engine is mounted.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_secrets_sync_association":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["list",["object",{"sub_key":"string","sync_status":"string","updated_at":"string"}]],"description":"Metadata for each subkey of the associated secret.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"Specifies the mount where the secret is located.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name":{"type":"string","description":"Specifies the name of the secret to synchronize.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of sync destination.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_secrets_sync_aws_destination":{"version":0,"block":{"attributes":{"access_key_id":{"type":"string","description":"Access key id to authenticate against the AWS secrets manager.","description_kind":"plain","optional":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"external_id":{"type":"string","description":"Extra protection that must match the trust policy granting access to the AWS IAM role ARN.","description_kind":"plain","optional":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource at the destination. Can be 'secret-path' or 'secret-key'","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the AWS destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region where to manage the secrets manager entries.","description_kind":"plain","optional":true},"role_arn":{"type":"string","description":"Specifies a role to assume when connecting to AWS.","description_kind":"plain","optional":true},"secret_access_key":{"type":"string","description":"Secret access key to authenticate against the AWS secrets manager.","description_kind":"plain","optional":true,"sensitive":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_azure_destination":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"Client ID of an Azure app registration.","description_kind":"plain","optional":true},"client_secret":{"type":"string","description":"Client Secret of an Azure app registration.","description_kind":"plain","optional":true,"sensitive":true},"cloud":{"type":"string","description":"Specifies a cloud for the client.","description_kind":"plain","optional":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource at the destination. Can be 'secret-path' or 'secret-key'","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_vault_uri":{"type":"string","description":"URI of an existing Azure Key Vault instance.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name of the Azure destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"ID of the target Azure tenant.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_config":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Disables the syncing process between Vault and external destinations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"queue_capacity":{"type":"number","description":"Maximum number of pending sync operations allowed on the queue.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_secrets_sync_gcp_destination":{"version":0,"block":{"attributes":{"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP.","description_kind":"plain","optional":true,"sensitive":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource at the destination. Can be 'secret-path' or 'secret-key'","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the GCP destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"The target project to manage secrets in.","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_gh_destination":{"version":0,"block":{"attributes":{"access_token":{"type":"string","description":"Fine-grained or personal access token.","description_kind":"plain","optional":true,"sensitive":true},"app_name":{"type":"string","description":"The user-defined name of the GitHub App configuration.","description_kind":"plain","optional":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource at the destination. Can be 'secret-path' or 'secret-key'","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"installation_id":{"type":"number","description":"The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user’s GitHub account. Necessary if the app_name field is also provided.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name of the github destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"repository_name":{"type":"string","description":"Name of the repository.","description_kind":"plain","optional":true},"repository_owner":{"type":"string","description":"GitHub organization or username that owns the repository.","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_github_apps":{"version":0,"block":{"attributes":{"app_id":{"type":"number","description":"The GitHub application ID.","description_kind":"plain","required":true},"fingerprint":{"type":"string","description":"A fingerprint of a private key.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The user-defined name of the GitHub App configuration.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The content of a PEM formatted private key generated on GitHub for the app.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_secrets_sync_vercel_destination":{"version":0,"block":{"attributes":{"access_token":{"type":"string","description":"Vercel API access token with the permissions to manage environment variables.","description_kind":"plain","required":true,"sensitive":true},"deployment_environments":{"type":["list","string"],"description":"Deployment environments where the environment variables are available. Accepts 'development', 'preview' \u0026 'production'.","description_kind":"plain","required":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource at the destination. Can be 'secret-path' or 'secret-key'","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the Vercel destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"Project ID where to manage environment variables.","description_kind":"plain","required":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"team_id":{"type":"string","description":"Team ID the project belongs to.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_ca":{"version":1,"block":{"attributes":{"backend":{"type":"string","description":"The path of the SSH Secret Backend where the CA should be configured","description_kind":"plain","optional":true},"generate_signing_key":{"type":"bool","description":"Whether Vault should generate the signing key pair internally.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"Private key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"public_key":{"type":"string","description":"Public key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_role":{"version":0,"block":{"attributes":{"algorithm_signer":{"type":"string","description_kind":"plain","optional":true,"computed":true},"allow_bare_domains":{"type":"bool","description_kind":"plain","optional":true},"allow_host_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description_kind":"plain","optional":true},"allow_user_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_user_key_ids":{"type":"bool","description_kind":"plain","optional":true},"allowed_critical_options":{"type":"string","description_kind":"plain","optional":true},"allowed_domains":{"type":"string","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allowed_extensions":{"type":"string","description_kind":"plain","optional":true},"allowed_users":{"type":"string","description_kind":"plain","optional":true},"allowed_users_template":{"type":"bool","description_kind":"plain","optional":true},"backend":{"type":"string","description_kind":"plain","required":true},"cidr_list":{"type":"string","description_kind":"plain","optional":true},"default_critical_options":{"type":["map","string"],"description_kind":"plain","optional":true},"default_extensions":{"type":["map","string"],"description_kind":"plain","optional":true},"default_user":{"type":"string","description_kind":"plain","optional":true},"default_user_template":{"type":"bool","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id_format":{"type":"string","description_kind":"plain","optional":true},"key_type":{"type":"string","description_kind":"plain","required":true},"max_ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true}},"block_types":{"allowed_user_key_config":{"nesting_mode":"set","block":{"attributes":{"lengths":{"type":["list","number"],"description":"List of allowed key lengths, vault-1.10 and above","description_kind":"plain","required":true},"type":{"type":"string","description":"Key type, choices:\nrsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521","description_kind":"plain","required":true}},"description":"Set of allowed public key types and their relevant configuration","description_kind":"plain"}}},"description_kind":"plain"}},"vault_terraform_cloud_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Terraform Cloud instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault Terraform Cloud mount to configure","description_kind":"plain","optional":true},"base_path":{"type":"string","description":"Specifies the base path for the Terraform Cloud or Enterprise API.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Terraform Cloud access token to use.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_creds":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Terraform Cloud secret backend to generate tokens from","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_id":{"type":"string","description":"Associated Vault lease ID, if one exists","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","computed":true},"token":{"type":"string","description":"Terraform Token provided by the Vault backend","description_kind":"plain","computed":true,"sensitive":true},"token_id":{"type":"string","description":"ID of the Terraform Token provided","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Terraform Cloud Secret Backend the role belongs to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum allowed lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Terraform Cloud credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","optional":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"Default lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"user_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise user (e.g., user-xxxxxxxxxxxxxxxx)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token":{"version":0,"block":{"attributes":{"client_token":{"type":"string","description":"The client token.","description_kind":"plain","computed":true,"sensitive":true},"display_name":{"type":"string","description":"The display name of the token.","description_kind":"plain","optional":true},"explicit_max_ttl":{"type":"string","description":"The explicit max TTL of the token.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"The token lease duration.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The token lease started on.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the token.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_default_policy":{"type":"bool","description":"Flag to disable the default policy.","description_kind":"plain","optional":true},"no_parent":{"type":"bool","description":"Flag to create a token without parent.","description_kind":"plain","optional":true,"computed":true},"num_uses":{"type":"number","description":"The number of allowed uses of the token.","description_kind":"plain","optional":true,"computed":true},"period":{"type":"string","description":"The period of the token.","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"List of policies.","description_kind":"plain","optional":true},"renew_increment":{"type":"number","description":"The renew increment.","description_kind":"plain","optional":true},"renew_min_lease":{"type":"number","description":"The minimum lease to renew token.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Flag to allow the token to be renewed","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"The token role name.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL period of the token.","description_kind":"plain","optional":true},"wrapped_token":{"type":"string","description":"The client wrapped token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_accessor":{"type":"string","description":"The client wrapping accessor.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL period of the wrapped token.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_entity_aliases":{"type":["set","string"],"description":"Set of allowed entity aliases for this role.","description_kind":"plain","optional":true},"allowed_policies":{"type":["set","string"],"description":"List of allowed policies for given role.","description_kind":"plain","optional":true},"allowed_policies_glob":{"type":["set","string"],"description":"Set of allowed policies with glob match for given role.","description_kind":"plain","optional":true},"disallowed_policies":{"type":["set","string"],"description":"List of disallowed policies for given role.","description_kind":"plain","optional":true},"disallowed_policies_glob":{"type":["set","string"],"description":"Set of disallowed policies with glob match for given role.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"orphan":{"type":"bool","description":"If true, tokens created against this policy will be orphan tokens.","description_kind":"plain","optional":true},"path_suffix":{"type":"string","description":"Tokens created against this role will have the given suffix as part of their path in addition to the role name.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Whether to disable the ability of the token to be renewed past its initial TTL.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_alphabet":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"A string of characters that contains the alphabet set.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the alphabet.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_transform_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"transformations":{"type":["list","string"],"description":"A comma separated string or slice of transformations to use.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_template":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"The alphabet to use for this template. This is only used during FPE transformations.","description_kind":"plain","optional":true},"decode_formats":{"type":["map","string"],"description":"The map of regular expression templates used to customize decoded outputs.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"encode_format":{"type":"string","description":"The regular expression template used for encoding values.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the template.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"pattern":{"type":"string","description":"The pattern used for matching. Currently, only regular expression pattern is supported.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The pattern type to use for match detection. Currently, only regex is supported.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_transformation":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"The set of roles allowed to perform this transformation.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"masking_character":{"type":"string","description":"The character used to replace data when in masking mode","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the transformation.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"template":{"type":"string","description":"The name of the template to use.","description_kind":"plain","optional":true},"templates":{"type":["list","string"],"description":"Templates configured for transformation.","description_kind":"plain","optional":true,"computed":true},"tweak_source":{"type":"string","description":"The source of where the tweak value comes from. Only valid when in FPE mode.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of transformation to perform.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_backend_key":{"version":0,"block":{"attributes":{"allow_plaintext_backup":{"type":"bool","description":"If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"auto_rotate_period":{"type":"number","description":"Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"convergent_encryption":{"type":"bool","description":"Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"Specifies if the key is allowed to be deleted.","description_kind":"plain","optional":true},"derived":{"type":"bool","description":"Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.","description_kind":"plain","optional":true},"exportable":{"type":"bool","description":"Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_size":{"type":"number","description":"The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512.","description_kind":"plain","optional":true},"keys":{"type":["list",["map","string"]],"description":"List of key versions in the keyring.","description_kind":"plain","computed":true},"latest_version":{"type":"number","description":"Latest key version in use in the keyring","description_kind":"plain","computed":true},"min_available_version":{"type":"number","description":"Minimum key version available for use.","description_kind":"plain","computed":true},"min_decryption_version":{"type":"number","description":"Minimum key version to use for decryption.","description_kind":"plain","optional":true},"min_encryption_version":{"type":"number","description":"Minimum key version to use for encryption","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the encryption key to create.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"supports_decryption":{"type":"bool","description":"Whether or not the key supports decryption, based on key type.","description_kind":"plain","computed":true},"supports_derivation":{"type":"bool","description":"Whether or not the key supports derivation, based on key type.","description_kind":"plain","computed":true},"supports_encryption":{"type":"bool","description":"Whether or not the key supports encryption, based on key type.","description_kind":"plain","computed":true},"supports_signing":{"type":"bool","description":"Whether or not the key supports signing, based on key type.","description_kind":"plain","computed":true},"type":{"type":"string","description":"Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_cache_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"size":{"type":"number","description":"Number of cache entries. A size of 0 mean unlimited.","description_kind":"plain","required":true}},"description_kind":"plain"}}},"data_source_schemas":{"vault_ad_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"AD Secret Backend to read credentials from.","description_kind":"plain","required":true},"current_password":{"type":"string","description":"Password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the service account.","description_kind":"plain","computed":true}},"description_kind":"plain","deprecated":true}},"vault_approle_auth_backend_role_id":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend.","description_kind":"plain","computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration in seconds","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint.","description_kind":"plain","computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration in seconds","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The auth backend mount point.","description_kind":"plain","required":true},"type":{"type":"string","description":"The name of the auth backend.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_auth_backends":{"version":0,"block":{"attributes":{"accessors":{"type":["list","string"],"description":"The accessors of the auth backends.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"The auth backend mount points.","description_kind":"plain","computed":true},"type":{"type":"string","description":"The type of the auth backend.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region the read credentials belong to.","description_kind":"plain","optional":true},"role":{"type":"string","description":"AWS Secret Role to read credentials from.","description_kind":"plain","required":true},"role_arn":{"type":"string","description":"ARN to use if multiple are available in the role. Required if the role has multiple ARNs.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"security_token":{"type":"string","description":"AWS security token read from Vault. (Only returned if type is 'sts').","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"User specified Time-To-Live for the STS token. Uses the Role defined default_sts_ttl when not specified","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of credentials to read. Must be either 'creds' for Access Key and Secret Key, or 'sts' for STS.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_static_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Azure Secret Backend to read credentials from.","description_kind":"plain","required":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs.","description_kind":"plain","computed":true,"sensitive":true},"environment":{"type":"string","description":"The Azure environment to use during credential validation.\nDefaults to the Azure Public Cloud.\nSome possible values: AzurePublicCloud, AzureUSGovernmentCloud","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"max_cred_validation_seconds":{"type":"number","description":"If 'validate_creds' is true, the number of seconds after which to give up validating credentials.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"num_seconds_between_tests":{"type":"number","description":"If 'validate_creds' is true, the number of seconds to wait between each test of generated credentials.","description_kind":"plain","optional":true},"num_sequential_successes":{"type":"number","description":"If 'validate_creds' is true, the number of sequential successes required to validate generated credentials.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Azure Secret Role to read credentials from.","description_kind":"plain","required":true},"subscription_id":{"type":"string","description":"The subscription ID to use during credential validation. Defaults to the subscription ID configured in the Vault backend","description_kind":"plain","optional":true},"tenant_id":{"type":"string","description":"The tenant ID to use during credential validation. Defaults to the tenant ID configured in the Vault backend","description_kind":"plain","optional":true},"validate_creds":{"type":"bool","description":"Whether generated credentials should be validated before being returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the GCP auth role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path from which a secret will be read.","description_kind":"plain","required":true},"version":{"type":"number","description_kind":"plain","optional":true},"with_lease_start_time":{"type":"bool","description":"If set to true, stores 'lease_start_time' in the TF state.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"aliases":{"type":["set",["object",{"canonical_id":"string","creation_time":"string","id":"string","last_update_time":"string","merged_from_canonical_ids":["set","string"],"metadata":["map","string"],"mount_accessor":"string","mount_path":"string","mount_type":"string","name":"string"}]],"description_kind":"plain","computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Entity data from Vault in JSON String form","description_kind":"plain","computed":true},"direct_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"disabled":{"type":"bool","description_kind":"plain","computed":true},"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","optional":true,"computed":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inherited_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"merged_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_group":{"version":1,"block":{"attributes":{"alias_canonical_id":{"type":"string","description_kind":"plain","computed":true},"alias_creation_time":{"type":"string","description_kind":"plain","computed":true},"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_last_update_time":{"type":"string","description_kind":"plain","computed":true},"alias_merged_from_canonical_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"alias_metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_mount_path":{"type":"string","description_kind":"plain","computed":true},"alias_mount_type":{"type":"string","description_kind":"plain","computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Group data from Vault in JSON String form","description_kind":"plain","computed":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","optional":true,"computed":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"member_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"member_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"modify_index":{"type":"number","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"parent_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_client_creds":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_openid_config":{"version":0,"block":{"attributes":{"authorization_endpoint":{"type":"string","description":"The Authorization Endpoint for the provider.","description_kind":"plain","computed":true},"grant_types_supported":{"type":["list","string"],"description":"The grant types supported by the provider.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_signing_alg_values_supported":{"type":["list","string"],"description":"The signing algorithms supported by the provider.","description_kind":"plain","computed":true},"issuer":{"type":"string","description":"The URL of the issuer for the provider.","description_kind":"plain","computed":true},"jwks_uri":{"type":"string","description":"The well known keys URI for the provider.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"request_uri_parameter_supported":{"type":"bool","description":"Specifies whether Request URI Parameter is supported by the provider.","description_kind":"plain","computed":true},"response_types_supported":{"type":["list","string"],"description":"The response types supported by the provider.","description_kind":"plain","computed":true},"scopes_supported":{"type":["list","string"],"description":"The scopes supported by the provider.","description_kind":"plain","computed":true},"subject_types_supported":{"type":["list","string"],"description":"The subject types supported by the provider.","description_kind":"plain","computed":true},"token_endpoint":{"type":"string","description":"The Token Endpoint for the provider.","description_kind":"plain","computed":true},"token_endpoint_auth_methods_supported":{"type":["list","string"],"description":"The token endpoint auth methods supported by the provider.","description_kind":"plain","computed":true},"userinfo_endpoint":{"type":"string","description":"The User Info Endpoint for the provider.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_public_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"keys":{"type":["list",["map","string"]],"description":"The public portion of keys for an OIDC provider. Clients can use them to validate the authenticity of an identity token.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true,"computed":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Method used for generating identity aliases.","description_kind":"plain","computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to \"*\" all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","computed":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to \"*\" all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_service_account_token":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Kubernetes secret backend to generate service account tokens from.","description_kind":"plain","required":true},"cluster_role_binding":{"type":"bool","description":"If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_namespace":{"type":"string","description":"The name of the Kubernetes namespace in which to generate the credentials.","description_kind":"plain","required":true},"lease_duration":{"type":"number","description":"The duration of the lease in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"The lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The name of the service account associated with the token.","description_kind":"plain","computed":true},"service_account_namespace":{"type":"string","description":"The Kubernetes namespace that the service account resides in.","description_kind":"plain","computed":true},"service_account_token":{"type":"string","description":"The Kubernetes service account token.","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_subkeys_v2":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Subkeys stored as a map of strings.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"Subkeys for the KV-V2 secret read from Vault.","description_kind":"plain","computed":true},"depth":{"type":"number","description":"Specifies the deepest nesting level to provide in the output.If non-zero, keys that reside at the specified depth value will be artificially treated as leaves and will thus be 'null' even if further underlying sub-keys exist.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Specifies the version to return. If not set the latest version is returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"created_time":{"type":"string","description":"Time at which the secret was created","description_kind":"plain","computed":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata for the secret","description_kind":"plain","computed":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"deletion_time":{"type":"string","description":"Deletion time for the secret","description_kind":"plain","computed":true},"destroyed":{"type":"bool","description":"Indicates whether the secret has been destroyed","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KVV2 secret is written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Version of the secret to retrieve","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secrets_list":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full KV-V1 path where secrets will be listed.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secrets_list_v2":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full named path of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","optional":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secrets are listed.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ldap_dynamic_credentials":{"version":0,"block":{"attributes":{"distinguished_names":{"type":["list","string"],"description":"List of the distinguished names (DN) created.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"LDAP Secret Backend to read credentials from.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Password for the dynamic role.","description_kind":"plain","computed":true,"sensitive":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the dynamic role.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ldap_static_credentials":{"version":0,"block":{"attributes":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage password rotation for.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the static role.","description_kind":"plain","computed":true,"sensitive":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this static role's password.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"LDAP Secret Backend to read credentials from.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Password for the static role.","description_kind":"plain","computed":true,"sensitive":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","computed":true},"ttl":{"type":"number","description":"Duration in seconds after which the issued credential should expire.","description_kind":"plain","computed":true},"username":{"type":"string","description":"Name of the static role.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_namespace":{"version":0,"block":{"attributes":{"custom_metadata":{"type":["map","string"],"description":"Metadata associated with this namespace.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID.","description_kind":"plain","computed":true},"path":{"type":"string","description":"Namespace path.","description_kind":"plain","optional":true},"path_fq":{"type":"string","description":"The fully qualified namespace path.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_namespaces":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["set","string"],"description":"Namespace paths.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_nomad_access_token":{"version":0,"block":{"attributes":{"accessor_id":{"type":"string","description":"The public identifier for a specific token. It can be used to look up information about a token or to revoke a token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Nomad secret backend to generate tokens from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"Used to make requests to Nomad and should be kept private.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_est":{"version":0,"block":{"attributes":{"audit_fields":{"type":["list","string"],"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies","description_kind":"plain","computed":true},"authenticators":{"type":["list",["object",{"cert":["map","string"],"userpass":["map","string"]}]],"description":"Lists the mount accessors EST should delegate authentication requests towards","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Path where PKI engine is mounted","description_kind":"plain","required":true},"default_mount":{"type":"bool","description":"If set, this mount is registered as the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster","description_kind":"plain","computed":true},"default_path_policy":{"type":"string","description":"Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:\u003crole_name\u003e","description_kind":"plain","computed":true},"enable_sentinel_parsing":{"type":"bool","description":"If set, parse out fields from the provided CSR making them available for Sentinel policies","description_kind":"plain","computed":true},"enabled":{"type":"bool","description":"Specifies whether EST is enabled","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"label_to_path_policy":{"type":["map","string"],"description":"A pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:\u003crole_name\u003e. Labels must be unique across Vault cluster, and will register .well-known/est/\u003clabel\u003e URL paths","description_kind":"plain","computed":true},"last_updated":{"type":"string","description":"A read-only timestamp representing the last time the configuration was updated","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description":"Reads Vault PKI EST configuration","description_kind":"plain"}},"vault_pki_secret_backend_issuer":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_id":{"type":"string","description":"ID of the issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Name of the issuer.","description_kind":"plain","computed":true},"issuer_ref":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","required":true},"key_id":{"type":"string","description":"ID of the key used by the issuer.","description_kind":"plain","computed":true},"leaf_not_after_behavior":{"type":"string","description":"Behavior of a leaf's NotAfter field during issuance.","description_kind":"plain","computed":true},"manual_chain":{"type":["list","string"],"description":"Chain of issuer references to build this issuer's computed CAChain field from, when non-empty","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"usage":{"type":"string","description":"Allowed usages for this issuer.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuers":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_info":{"type":["map","string"],"description":"Map of issuer strings read from Vault.","description_kind":"plain","computed":true},"key_info_json":{"type":"string","description":"JSON-encoded key info data read from Vault.","description_kind":"plain","computed":true},"keys":{"type":["list","string"],"description":"Keys used by issuers under the backend path.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_key":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id":{"type":"string","description":"ID of the key used.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","computed":true},"key_ref":{"type":"string","description":"Reference to an existing key.","description_kind":"plain","required":true},"key_type":{"type":"string","description":"Type of the key.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_keys":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_info":{"type":["map","string"],"description":"Map of key strings read from Vault.","description_kind":"plain","computed":true},"key_info_json":{"type":"string","description":"JSON-encoded key data read from Vault.","description_kind":"plain","computed":true},"keys":{"type":["list","string"],"description":"Keys used under the backend path.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_policy_document":{"version":0,"block":{"attributes":{"hcl":{"type":"string","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"rule":{"nesting_mode":"list","block":{"attributes":{"capabilities":{"type":["list","string"],"description_kind":"plain","required":true},"description":{"type":"string","description_kind":"plain","optional":true},"max_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"min_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","required":true},"required_parameters":{"type":["list","string"],"description_kind":"plain","optional":true}},"block_types":{"allowed_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}},"denied_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}}},"description":"The policy rule","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot_state":{"version":0,"block":{"attributes":{"failure_tolerance":{"type":"number","description":"How many nodes could fail before the cluster becomes unhealthy","description_kind":"plain","computed":true},"healthy":{"type":"bool","description":"Health status","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"leader":{"type":"string","description":"Current leader of Vault","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"optimistic_failure_tolerance":{"type":"number","description":"The cluster-level optimistic failure tolerance.","description_kind":"plain","computed":true},"redundancy_zones":{"type":["map","string"],"description":"Additional output related to redundancy zones stored as a map of strings.","description_kind":"plain","computed":true},"redundancy_zones_json":{"type":"string","description":"Subkeys for the redundancy zones read from Vault.","description_kind":"plain","computed":true},"servers":{"type":["map","string"],"description":"Additional output related to servers stored as a map of strings.","description_kind":"plain","computed":true},"servers_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"upgrade_info":{"type":["map","string"],"description":"Additional output related to upgrade info stored as a map of strings.","description_kind":"plain","computed":true},"upgrade_info_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"voters":{"type":["list","string"],"description":"The voters in the Vault cluster.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_transform_decode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be decoded in a single batch. If this parameter is set, the top-level parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of decoding batch_input.","description_kind":"plain","optional":true,"computed":true},"decoded_value":{"type":"string","description":"The result of decoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to decode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_encode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be encoded in a single batch. If this parameter is set, the parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of encoding batch_input.","description_kind":"plain","optional":true,"computed":true},"encoded_value":{"type":"string","description":"The result of encoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to encode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_decrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","required":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the decryption key to use.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Decrypted plain text","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_transit_encrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","computed":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the encryption key to use.","description_kind":"plain","required":true},"key_version":{"type":"number","description":"The version of the key to use for encryption","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Map of strings read from Vault.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}}}}}} diff --git a/config/vault/config.go b/config/vault/config.go index 9a5f1512..994d6eda 100644 --- a/config/vault/config.go +++ b/config/vault/config.go @@ -1,6 +1,6 @@ package vault -import "github.com/upbound/upjet/pkg/config" +import "github.com/crossplane/upjet/pkg/config" // ConfigureNamespace configures the namespace resource. func Configure(p *config.Provider) { diff --git a/examples-generated/ad/secretbackend.yaml b/examples-generated/ad/v1alpha1/secretbackend.yaml similarity index 100% rename from examples-generated/ad/secretbackend.yaml rename to examples-generated/ad/v1alpha1/secretbackend.yaml diff --git a/examples-generated/ad/secretrole.yaml b/examples-generated/ad/v1alpha1/secretrole.yaml similarity index 89% rename from examples-generated/ad/secretrole.yaml rename to examples-generated/ad/v1alpha1/secretrole.yaml index 428846fb..76270c44 100644 --- a/examples-generated/ad/secretrole.yaml +++ b/examples-generated/ad/v1alpha1/secretrole.yaml @@ -8,7 +8,9 @@ metadata: name: role spec: forProvider: - backend: ad + backendSelector: + matchLabels: + testing.upbound.io/example-name: config role: bob serviceAccountName: Bob ttl: 60 diff --git a/examples-generated/alicloud/authbackendrole.yaml b/examples-generated/alicloud/v1alpha1/authbackendrole.yaml similarity index 86% rename from examples-generated/alicloud/authbackendrole.yaml rename to examples-generated/alicloud/v1alpha1/authbackendrole.yaml index 6da7f16a..ff8a70b4 100644 --- a/examples-generated/alicloud/authbackendrole.yaml +++ b/examples-generated/alicloud/v1alpha1/authbackendrole.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: arn: acs:ram:123456:tf:role/foobar - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: alicloud role: example --- diff --git a/examples-generated/approle/authbackendlogin.yaml b/examples-generated/approle/v1alpha1/authbackendlogin.yaml similarity index 73% rename from examples-generated/approle/authbackendlogin.yaml rename to examples-generated/approle/v1alpha1/authbackendlogin.yaml index bb748b30..b0e4d830 100644 --- a/examples-generated/approle/authbackendlogin.yaml +++ b/examples-generated/approle/v1alpha1/authbackendlogin.yaml @@ -8,8 +8,12 @@ metadata: name: login spec: forProvider: - backend: cert - roleId: ${vault_approle_auth_backend_role.example.role_id} + backendSelector: + matchLabels: + testing.upbound.io/example-name: approle + roleIdSelector: + matchLabels: + testing.upbound.io/example-name: example secretIdSecretRef: key: attribute.secret_id name: example-approle-auth-backend-role-secret-id @@ -27,7 +31,9 @@ metadata: name: example spec: forProvider: - backend: ${vault_auth_backend.approle.path} + backendSelector: + matchLabels: + testing.upbound.io/example-name: approle roleName: test-role tokenPolicies: - default @@ -46,8 +52,12 @@ metadata: name: id spec: forProvider: - backend: ${vault_auth_backend.approle.path} - roleName: test-role + backendSelector: + matchLabels: + testing.upbound.io/example-name: approle + roleNameSelector: + matchLabels: + testing.upbound.io/example-name: example --- diff --git a/examples-generated/approle/authbackendrole.yaml b/examples-generated/approle/v1alpha1/authbackendrole.yaml similarity index 86% rename from examples-generated/approle/authbackendrole.yaml rename to examples-generated/approle/v1alpha1/authbackendrole.yaml index cc2b958f..af8eb2a3 100644 --- a/examples-generated/approle/authbackendrole.yaml +++ b/examples-generated/approle/v1alpha1/authbackendrole.yaml @@ -8,7 +8,9 @@ metadata: name: example spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: approle roleName: test-role tokenPolicies: - default diff --git a/examples-generated/approle/authbackendrolesecretid.yaml b/examples-generated/approle/v1alpha1/authbackendrolesecretid.yaml similarity index 78% rename from examples-generated/approle/authbackendrolesecretid.yaml rename to examples-generated/approle/v1alpha1/authbackendrolesecretid.yaml index 88a082a8..9a84e91b 100644 --- a/examples-generated/approle/authbackendrolesecretid.yaml +++ b/examples-generated/approle/v1alpha1/authbackendrolesecretid.yaml @@ -8,14 +8,18 @@ metadata: name: id spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: approle metadata: |- ${jsonencode( { "hello" = "world" } )} - roleName: ${vault_approle_auth_backend_role.example.role_name} + roleNameSelector: + matchLabels: + testing.upbound.io/example-name: example --- @@ -29,7 +33,9 @@ metadata: name: example spec: forProvider: - backend: ${vault_auth_backend.approle.path} + backendSelector: + matchLabels: + testing.upbound.io/example-name: approle roleName: test-role tokenPolicies: - default diff --git a/examples-generated/audit/requestheader.yaml b/examples-generated/audit/v1alpha1/requestheader.yaml similarity index 100% rename from examples-generated/audit/requestheader.yaml rename to examples-generated/audit/v1alpha1/requestheader.yaml diff --git a/examples-generated/auth/backend.yaml b/examples-generated/auth/v1alpha1/backend.yaml similarity index 100% rename from examples-generated/auth/backend.yaml rename to examples-generated/auth/v1alpha1/backend.yaml diff --git a/examples-generated/aws/authbackendcert.yaml b/examples-generated/aws/v1alpha1/authbackendcert.yaml similarity index 85% rename from examples-generated/aws/authbackendcert.yaml rename to examples-generated/aws/v1alpha1/authbackendcert.yaml index 632e393e..456f90f7 100644 --- a/examples-generated/aws/authbackendcert.yaml +++ b/examples-generated/aws/v1alpha1/authbackendcert.yaml @@ -8,7 +8,9 @@ metadata: name: cert spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: aws --- diff --git a/examples-generated/aws/authbackendclient.yaml b/examples-generated/aws/v1alpha1/authbackendclient.yaml similarity index 68% rename from examples-generated/aws/authbackendclient.yaml rename to examples-generated/aws/v1alpha1/authbackendclient.yaml index 530e18e4..d776e81a 100644 --- a/examples-generated/aws/authbackendclient.yaml +++ b/examples-generated/aws/v1alpha1/authbackendclient.yaml @@ -8,15 +8,9 @@ metadata: name: example spec: forProvider: - accessKeySecretRef: - key: example-key - name: example-secret - namespace: upbound-system - backend: cert - secretKeySecretRef: - key: example-key - name: example-secret - namespace: upbound-system + identityTokenAudience: + identityTokenTtl: + roleArn: --- diff --git a/examples-generated/aws/authbackendconfigidentity.yaml b/examples-generated/aws/v1alpha1/authbackendconfigidentity.yaml similarity index 87% rename from examples-generated/aws/authbackendconfigidentity.yaml rename to examples-generated/aws/v1alpha1/authbackendconfigidentity.yaml index dd1a113e..76358003 100644 --- a/examples-generated/aws/authbackendconfigidentity.yaml +++ b/examples-generated/aws/v1alpha1/authbackendconfigidentity.yaml @@ -8,7 +8,9 @@ metadata: name: example spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: aws iamAlias: full_arn iamMetadata: - canonical_arn diff --git a/examples-generated/aws/authbackendidentitywhitelist.yaml b/examples-generated/aws/v1alpha1/authbackendidentitywhitelist.yaml similarity index 86% rename from examples-generated/aws/authbackendidentitywhitelist.yaml rename to examples-generated/aws/v1alpha1/authbackendidentitywhitelist.yaml index 9e1af943..feb0f57b 100644 --- a/examples-generated/aws/authbackendidentitywhitelist.yaml +++ b/examples-generated/aws/v1alpha1/authbackendidentitywhitelist.yaml @@ -8,7 +8,9 @@ metadata: name: example spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: example safetyBuffer: 3600 --- diff --git a/examples-generated/aws/authbackendlogin.yaml b/examples-generated/aws/v1alpha1/authbackendlogin.yaml similarity index 82% rename from examples-generated/aws/authbackendlogin.yaml rename to examples-generated/aws/v1alpha1/authbackendlogin.yaml index 926ee2ee..3cf8f47f 100644 --- a/examples-generated/aws/authbackendlogin.yaml +++ b/examples-generated/aws/v1alpha1/authbackendlogin.yaml @@ -8,9 +8,13 @@ metadata: name: example spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: example identity: BASE64ENCODEDIDENTITYDOCUMENT - role: test-role + roleSelector: + matchLabels: + testing.upbound.io/example-name: example signature: BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE --- @@ -44,7 +48,9 @@ spec: key: example-key name: example-secret namespace: upbound-system - backend: aws + backendSelector: + matchLabels: + testing.upbound.io/example-name: aws secretKeySecretRef: key: example-key name: example-secret @@ -63,7 +69,9 @@ metadata: spec: forProvider: authType: ec2 - backend: aws + backendSelector: + matchLabels: + testing.upbound.io/example-name: example bound_account_id: "123456789012" bound_ami_id: ami-8c1be5f6 bound_subnet_id: vpc-133128f1 diff --git a/examples-generated/aws/authbackendrole.yaml b/examples-generated/aws/v1alpha1/authbackendrole.yaml similarity index 92% rename from examples-generated/aws/authbackendrole.yaml rename to examples-generated/aws/v1alpha1/authbackendrole.yaml index 383c8cf0..713e5ed2 100644 --- a/examples-generated/aws/authbackendrole.yaml +++ b/examples-generated/aws/v1alpha1/authbackendrole.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: authType: iam - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: aws boundAccountIds: - "123456789012" boundAmiIds: diff --git a/examples-generated/aws/authbackendroletag.yaml b/examples-generated/aws/v1alpha1/authbackendroletag.yaml similarity index 79% rename from examples-generated/aws/authbackendroletag.yaml rename to examples-generated/aws/v1alpha1/authbackendroletag.yaml index 2ba314b5..7d2d0216 100644 --- a/examples-generated/aws/authbackendroletag.yaml +++ b/examples-generated/aws/v1alpha1/authbackendroletag.yaml @@ -8,14 +8,18 @@ metadata: name: test spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: aws instanceId: i-1234567 maxTtl: 1h policies: - prod - dev - test - role: test-role + roleSelector: + matchLabels: + testing.upbound.io/example-name: role --- @@ -45,7 +49,9 @@ metadata: spec: forProvider: authType: ec2 - backend: '%s' + backendSelector: + matchLabels: + testing.upbound.io/example-name: example bound_account_id: "123456789012" policies: - dev diff --git a/examples-generated/aws/authbackendroletagblacklist.yaml b/examples-generated/aws/v1alpha1/authbackendroletagblacklist.yaml similarity index 86% rename from examples-generated/aws/authbackendroletagblacklist.yaml rename to examples-generated/aws/v1alpha1/authbackendroletagblacklist.yaml index 1e7f9467..31085376 100644 --- a/examples-generated/aws/authbackendroletagblacklist.yaml +++ b/examples-generated/aws/v1alpha1/authbackendroletagblacklist.yaml @@ -8,7 +8,9 @@ metadata: name: example spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: example safetyBuffer: 360 --- diff --git a/examples-generated/aws/authbackendstsrole.yaml b/examples-generated/aws/v1alpha1/authbackendstsrole.yaml similarity index 87% rename from examples-generated/aws/authbackendstsrole.yaml rename to examples-generated/aws/v1alpha1/authbackendstsrole.yaml index b028a0e9..38dcd0a8 100644 --- a/examples-generated/aws/authbackendstsrole.yaml +++ b/examples-generated/aws/v1alpha1/authbackendstsrole.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: accountId: "1234567890" - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: aws stsRole: arn:aws:iam::1234567890:role/my-role --- diff --git a/examples-generated/aws/secretbackend.yaml b/examples-generated/aws/v1alpha1/secretbackend.yaml similarity index 100% rename from examples-generated/aws/secretbackend.yaml rename to examples-generated/aws/v1alpha1/secretbackend.yaml diff --git a/examples-generated/aws/secretbackendrole.yaml b/examples-generated/aws/v1alpha1/secretbackendrole.yaml similarity index 91% rename from examples-generated/aws/secretbackendrole.yaml rename to examples-generated/aws/v1alpha1/secretbackendrole.yaml index b498ffb1..b2df8226 100644 --- a/examples-generated/aws/secretbackendrole.yaml +++ b/examples-generated/aws/v1alpha1/secretbackendrole.yaml @@ -8,7 +8,9 @@ metadata: name: role spec: forProvider: - backend: ${vault_aws_secret_backend.aws.path} + backendSelector: + matchLabels: + testing.upbound.io/example-name: aws credentialType: iam_user name: deploy policyDocument: | diff --git a/examples-generated/azure/authbackendconfig.yaml b/examples-generated/azure/v1alpha1/authbackendconfig.yaml similarity index 78% rename from examples-generated/azure/authbackendconfig.yaml rename to examples-generated/azure/v1alpha1/authbackendconfig.yaml index 084ddbc3..f67026d7 100644 --- a/examples-generated/azure/authbackendconfig.yaml +++ b/examples-generated/azure/v1alpha1/authbackendconfig.yaml @@ -8,16 +8,15 @@ metadata: name: example spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: example clientIdSecretRef: key: example-key name: example-secret namespace: upbound-system - clientSecretSecretRef: - key: example-key - name: example-secret - namespace: upbound-system - resource: https://vault.hashicorp.com + identityTokenAudience: + identityTokenTtl: tenantIdSecretRef: key: example-key name: example-secret @@ -35,4 +34,5 @@ metadata: name: example spec: forProvider: + identityTokenKey: example-key type: azure diff --git a/examples-generated/azure/authbackendrole.yaml b/examples-generated/azure/v1alpha1/authbackendrole.yaml similarity index 89% rename from examples-generated/azure/authbackendrole.yaml rename to examples-generated/azure/v1alpha1/authbackendrole.yaml index 6e65afb5..567f9d1e 100644 --- a/examples-generated/azure/authbackendrole.yaml +++ b/examples-generated/azure/v1alpha1/authbackendrole.yaml @@ -8,7 +8,9 @@ metadata: name: example spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: azure boundResourceGroups: - "123456789012" boundSubscriptionIds: diff --git a/examples-generated/azure/secretbackend.yaml b/examples-generated/azure/v1alpha1/secretbackend.yaml similarity index 76% rename from examples-generated/azure/secretbackend.yaml rename to examples-generated/azure/v1alpha1/secretbackend.yaml index 235437c3..2c3b1661 100644 --- a/examples-generated/azure/secretbackend.yaml +++ b/examples-generated/azure/v1alpha1/secretbackend.yaml @@ -12,11 +12,8 @@ spec: key: example-key name: example-secret namespace: upbound-system - clientSecretSecretRef: - key: example-key - name: example-secret - namespace: upbound-system - environment: AzurePublicCloud + identityTokenAudience: + identityTokenTtl: subscriptionIdSecretRef: key: example-key name: example-secret @@ -25,4 +22,3 @@ spec: key: example-key name: example-secret namespace: upbound-system - useMicrosoftGraphApi: true diff --git a/examples-generated/azure/secretbackendrole.yaml b/examples-generated/azure/v1alpha1/secretbackendrole.yaml similarity index 93% rename from examples-generated/azure/secretbackendrole.yaml rename to examples-generated/azure/v1alpha1/secretbackendrole.yaml index 123eefdc..dff3f8d5 100644 --- a/examples-generated/azure/secretbackendrole.yaml +++ b/examples-generated/azure/v1alpha1/secretbackendrole.yaml @@ -11,7 +11,9 @@ spec: azureRoles: - roleName: Reader scope: /subscriptions/${var.subscription_id}/resourceGroups/azure-vault-group - backend: ${vault_azure_secret_backend.azure.path} + backendSelector: + matchLabels: + testing.upbound.io/example-name: azure maxTtl: 600 role: generated_role signInAudience: AzureADMyOrg diff --git a/examples-generated/consul/secretbackend.yaml b/examples-generated/consul/v1alpha1/secretbackend.yaml similarity index 100% rename from examples-generated/consul/secretbackend.yaml rename to examples-generated/consul/v1alpha1/secretbackend.yaml diff --git a/examples-generated/consul/secretbackendrole.yaml b/examples-generated/consul/v1alpha1/secretbackendrole.yaml similarity index 89% rename from examples-generated/consul/secretbackendrole.yaml rename to examples-generated/consul/v1alpha1/secretbackendrole.yaml index 8833de27..345006eb 100644 --- a/examples-generated/consul/secretbackendrole.yaml +++ b/examples-generated/consul/v1alpha1/secretbackendrole.yaml @@ -8,7 +8,9 @@ metadata: name: example spec: forProvider: - backend: consul + backendSelector: + matchLabels: + testing.upbound.io/example-name: test consulPolicies: - example-policy name: test-role diff --git a/examples-generated/database/secretbackendconnection.yaml b/examples-generated/database/v1alpha1/secretbackendconnection.yaml similarity index 89% rename from examples-generated/database/secretbackendconnection.yaml rename to examples-generated/database/v1alpha1/secretbackendconnection.yaml index 87327e76..eb0a2434 100644 --- a/examples-generated/database/secretbackendconnection.yaml +++ b/examples-generated/database/v1alpha1/secretbackendconnection.yaml @@ -11,7 +11,9 @@ spec: allowedRoles: - dev - prod - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: db name: postgres postgresql: - connectionUrl: postgres://username:password@host:port/database diff --git a/examples-generated/database/secretbackendrole.yaml b/examples-generated/database/v1alpha1/secretbackendrole.yaml similarity index 80% rename from examples-generated/database/secretbackendrole.yaml rename to examples-generated/database/v1alpha1/secretbackendrole.yaml index 64f6354d..ad9428ec 100644 --- a/examples-generated/database/secretbackendrole.yaml +++ b/examples-generated/database/v1alpha1/secretbackendrole.yaml @@ -8,10 +8,14 @@ metadata: name: role spec: forProvider: - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: db creationStatements: - CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; - dbName: postgres + dbNameSelector: + matchLabels: + testing.upbound.io/example-name: postgres name: dev --- @@ -29,7 +33,9 @@ spec: allowedRoles: - dev - prod - backend: postgres + backendSelector: + matchLabels: + testing.upbound.io/example-name: example name: postgres postgresql: - connectionUrl: postgres://username:password@host:port/database diff --git a/examples-generated/database/secretbackendstaticrole.yaml b/examples-generated/database/v1alpha1/secretbackendstaticrole.yaml similarity index 81% rename from examples-generated/database/secretbackendstaticrole.yaml rename to examples-generated/database/v1alpha1/secretbackendstaticrole.yaml index 20d71b98..a5bc77ce 100644 --- a/examples-generated/database/secretbackendstaticrole.yaml +++ b/examples-generated/database/v1alpha1/secretbackendstaticrole.yaml @@ -8,8 +8,12 @@ metadata: name: period-role spec: forProvider: - backend: dummy - dbName: postgres + backendSelector: + matchLabels: + testing.upbound.io/example-name: db + dbNameSelector: + matchLabels: + testing.upbound.io/example-name: postgres name: my-period-role rotationPeriod: "3600" rotationStatements: @@ -30,7 +34,9 @@ spec: forProvider: allowedRoles: - '*' - backend: postgres + backendSelector: + matchLabels: + testing.upbound.io/example-name: example name: postgres postgresql: - connectionUrl: postgres://username:password@host:port/database diff --git a/examples-generated/database/secretsmount.yaml b/examples-generated/database/v1alpha1/secretsmount.yaml similarity index 83% rename from examples-generated/database/secretsmount.yaml rename to examples-generated/database/v1alpha1/secretsmount.yaml index bd6e580e..d7478cc5 100644 --- a/examples-generated/database/secretsmount.yaml +++ b/examples-generated/database/v1alpha1/secretsmount.yaml @@ -43,12 +43,16 @@ metadata: name: dev1 spec: forProvider: - backend: db + backendSelector: + matchLabels: + testing.upbound.io/example-name: db creationStatements: - CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}'; - CREATE USER [{{name}}] FOR LOGIN [{{name}}]; - GRANT SELECT ON SCHEMA::dbo TO [{{name}}]; - dbName: db1 + dbNameSelector: + matchLabels: + testing.upbound.io/example-name: db name: dev1 --- @@ -63,9 +67,13 @@ metadata: name: dev2 spec: forProvider: - backend: db + backendSelector: + matchLabels: + testing.upbound.io/example-name: db creationStatements: - CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; - GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; - dbName: db2 + dbNameSelector: + matchLabels: + testing.upbound.io/example-name: db name: dev2 diff --git a/examples-generated/egp/policy.yaml b/examples-generated/egp/v1alpha1/policy.yaml similarity index 100% rename from examples-generated/egp/policy.yaml rename to examples-generated/egp/v1alpha1/policy.yaml diff --git a/examples-generated/gcp/authbackendrole.yaml b/examples-generated/gcp/v1alpha1/authbackendrole.yaml similarity index 89% rename from examples-generated/gcp/authbackendrole.yaml rename to examples-generated/gcp/v1alpha1/authbackendrole.yaml index 09889693..2a9e1251 100644 --- a/examples-generated/gcp/authbackendrole.yaml +++ b/examples-generated/gcp/v1alpha1/authbackendrole.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: addGroupAliases: true - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: gcp boundProjects: - test boundServiceAccounts: diff --git a/examples-generated/gcp/secretbackend.yaml b/examples-generated/gcp/v1alpha1/secretbackend.yaml similarity index 59% rename from examples-generated/gcp/secretbackend.yaml rename to examples-generated/gcp/v1alpha1/secretbackend.yaml index d5265886..728dbc85 100644 --- a/examples-generated/gcp/secretbackend.yaml +++ b/examples-generated/gcp/v1alpha1/secretbackend.yaml @@ -8,7 +8,7 @@ metadata: name: gcp spec: forProvider: - credentialsSecretRef: - key: attribute.credentials.json - name: example-secret - namespace: upbound-system + identityTokenAudience: + identityTokenKey: example-key + identityTokenTtl: 1800 + serviceAccountEmail: diff --git a/examples-generated/gcp/secretimpersonatedaccount.yaml b/examples-generated/gcp/v1alpha1/secretimpersonatedaccount.yaml similarity index 90% rename from examples-generated/gcp/secretimpersonatedaccount.yaml rename to examples-generated/gcp/v1alpha1/secretimpersonatedaccount.yaml index e9c5ef8b..a24a29b1 100644 --- a/examples-generated/gcp/secretimpersonatedaccount.yaml +++ b/examples-generated/gcp/v1alpha1/secretimpersonatedaccount.yaml @@ -8,7 +8,9 @@ metadata: name: impersonated-account spec: forProvider: - backend: ${vault_gcp_secret_backend.gcp.path} + backendSelector: + matchLabels: + testing.upbound.io/example-name: gcp impersonatedAccount: this serviceAccountEmail: ${google_service_account.this.email} tokenScopes: diff --git a/examples-generated/gcp/secretroleset.yaml b/examples-generated/gcp/v1alpha1/secretroleset.yaml similarity index 91% rename from examples-generated/gcp/secretroleset.yaml rename to examples-generated/gcp/v1alpha1/secretroleset.yaml index 8d3918ce..55b33dba 100644 --- a/examples-generated/gcp/secretroleset.yaml +++ b/examples-generated/gcp/v1alpha1/secretroleset.yaml @@ -8,7 +8,9 @@ metadata: name: roleset spec: forProvider: - backend: ${vault_gcp_secret_backend.gcp.path} + backendSelector: + matchLabels: + testing.upbound.io/example-name: gcp binding: - resource: //cloudresourcemanager.googleapis.com/projects/${local.project} roles: diff --git a/examples-generated/gcp/secretstaticaccount.yaml b/examples-generated/gcp/v1alpha1/secretstaticaccount.yaml similarity index 92% rename from examples-generated/gcp/secretstaticaccount.yaml rename to examples-generated/gcp/v1alpha1/secretstaticaccount.yaml index 1d27f0f9..f0955828 100644 --- a/examples-generated/gcp/secretstaticaccount.yaml +++ b/examples-generated/gcp/v1alpha1/secretstaticaccount.yaml @@ -8,7 +8,9 @@ metadata: name: static-account spec: forProvider: - backend: ${vault_gcp_secret_backend.gcp.path} + backendSelector: + matchLabels: + testing.upbound.io/example-name: gcp binding: - resource: //cloudresourcemanager.googleapis.com/projects/${google_service_account.this.project} roles: diff --git a/examples-generated/generic/endpoint.yaml b/examples-generated/generic/v1alpha1/endpoint.yaml similarity index 100% rename from examples-generated/generic/endpoint.yaml rename to examples-generated/generic/v1alpha1/endpoint.yaml diff --git a/examples-generated/generic/secret.yaml b/examples-generated/generic/v1alpha1/secret.yaml similarity index 100% rename from examples-generated/generic/secret.yaml rename to examples-generated/generic/v1alpha1/secret.yaml diff --git a/examples-generated/github/authbackend.yaml b/examples-generated/github/v1alpha1/authbackend.yaml similarity index 100% rename from examples-generated/github/authbackend.yaml rename to examples-generated/github/v1alpha1/authbackend.yaml diff --git a/examples-generated/github/team.yaml b/examples-generated/github/v1alpha1/team.yaml similarity index 86% rename from examples-generated/github/team.yaml rename to examples-generated/github/v1alpha1/team.yaml index 5cac6116..bfe2d43e 100644 --- a/examples-generated/github/team.yaml +++ b/examples-generated/github/v1alpha1/team.yaml @@ -8,7 +8,9 @@ metadata: name: tf-devs spec: forProvider: - backend: ${vault_github_auth_backend.example.id} + backendSelector: + matchLabels: + testing.upbound.io/example-name: example policies: - developer - read-only diff --git a/examples-generated/github/user.yaml b/examples-generated/github/v1alpha1/user.yaml similarity index 86% rename from examples-generated/github/user.yaml rename to examples-generated/github/v1alpha1/user.yaml index 99adbab4..fcebcbbe 100644 --- a/examples-generated/github/user.yaml +++ b/examples-generated/github/v1alpha1/user.yaml @@ -8,7 +8,9 @@ metadata: name: tf-user spec: forProvider: - backend: ${vault_github_auth_backend.example.id} + backendSelector: + matchLabels: + testing.upbound.io/example-name: example policies: - developer - read-only diff --git a/examples-generated/identity/entity.yaml b/examples-generated/identity/v1alpha1/entity.yaml similarity index 100% rename from examples-generated/identity/entity.yaml rename to examples-generated/identity/v1alpha1/entity.yaml diff --git a/examples-generated/identity/entityalias.yaml b/examples-generated/identity/v1alpha1/entityalias.yaml similarity index 100% rename from examples-generated/identity/entityalias.yaml rename to examples-generated/identity/v1alpha1/entityalias.yaml diff --git a/examples-generated/identity/entitypolicies.yaml b/examples-generated/identity/v1alpha1/entitypolicies.yaml similarity index 87% rename from examples-generated/identity/entitypolicies.yaml rename to examples-generated/identity/v1alpha1/entitypolicies.yaml index 29ad6093..480e05a3 100644 --- a/examples-generated/identity/entitypolicies.yaml +++ b/examples-generated/identity/v1alpha1/entitypolicies.yaml @@ -8,7 +8,9 @@ metadata: name: policies spec: forProvider: - entityId: ${vault_identity_entity.entity.id} + entityIdSelector: + matchLabels: + testing.upbound.io/example-name: entity exclusive: true policies: - default diff --git a/examples-generated/identity/group.yaml b/examples-generated/identity/v1alpha1/group.yaml similarity index 100% rename from examples-generated/identity/group.yaml rename to examples-generated/identity/v1alpha1/group.yaml diff --git a/examples-generated/identity/groupalias.yaml b/examples-generated/identity/v1alpha1/groupalias.yaml similarity index 82% rename from examples-generated/identity/groupalias.yaml rename to examples-generated/identity/v1alpha1/groupalias.yaml index 84d0819f..ce59525c 100644 --- a/examples-generated/identity/groupalias.yaml +++ b/examples-generated/identity/v1alpha1/groupalias.yaml @@ -8,8 +8,12 @@ metadata: name: group-alias spec: forProvider: - canonicalId: ${vault_identity_group.group.id} - mountAccessor: ${vault_auth_backend.github.accessor} + canonicalIdSelector: + matchLabels: + testing.upbound.io/example-name: group + mountAccessorSelector: + matchLabels: + testing.upbound.io/example-name: github name: Github_Team_Slug --- diff --git a/examples-generated/identity/groupmemberentityids.yaml b/examples-generated/identity/v1alpha1/groupmemberentityids.yaml similarity index 91% rename from examples-generated/identity/groupmemberentityids.yaml rename to examples-generated/identity/v1alpha1/groupmemberentityids.yaml index 05112e11..130b0438 100644 --- a/examples-generated/identity/groupmemberentityids.yaml +++ b/examples-generated/identity/v1alpha1/groupmemberentityids.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: exclusive: true - groupId: ${vault_identity_group.internal.id} + groupIdSelector: + matchLabels: + testing.upbound.io/example-name: internal memberEntityIds: - ${vault_identity_entity.user.id} diff --git a/examples-generated/identity/groupmembergroupids.yaml b/examples-generated/identity/v1alpha1/groupmembergroupids.yaml similarity index 91% rename from examples-generated/identity/groupmembergroupids.yaml rename to examples-generated/identity/v1alpha1/groupmembergroupids.yaml index eb1ec279..30eca25a 100644 --- a/examples-generated/identity/groupmembergroupids.yaml +++ b/examples-generated/identity/v1alpha1/groupmembergroupids.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: exclusive: true - groupId: ${vault_identity_group.internal.id} + groupIdSelector: + matchLabels: + testing.upbound.io/example-name: internal memberGroupIds: - ${vault_identity_group.users.id} diff --git a/examples-generated/identity/grouppolicies.yaml b/examples-generated/identity/v1alpha1/grouppolicies.yaml similarity index 87% rename from examples-generated/identity/grouppolicies.yaml rename to examples-generated/identity/v1alpha1/grouppolicies.yaml index 0c080067..c74586c2 100644 --- a/examples-generated/identity/grouppolicies.yaml +++ b/examples-generated/identity/v1alpha1/grouppolicies.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: exclusive: true - groupId: ${vault_identity_group.internal.id} + groupIdSelector: + matchLabels: + testing.upbound.io/example-name: internal policies: - default - test diff --git a/examples-generated/identity/mfaduo.yaml b/examples-generated/identity/v1alpha1/mfaduo.yaml similarity index 100% rename from examples-generated/identity/mfaduo.yaml rename to examples-generated/identity/v1alpha1/mfaduo.yaml diff --git a/examples-generated/identity/mfaloginenforcement.yaml b/examples-generated/identity/v1alpha1/mfaloginenforcement.yaml similarity index 100% rename from examples-generated/identity/mfaloginenforcement.yaml rename to examples-generated/identity/v1alpha1/mfaloginenforcement.yaml diff --git a/examples-generated/identity/mfaokta.yaml b/examples-generated/identity/v1alpha1/mfaokta.yaml similarity index 100% rename from examples-generated/identity/mfaokta.yaml rename to examples-generated/identity/v1alpha1/mfaokta.yaml diff --git a/examples-generated/identity/mfapingid.yaml b/examples-generated/identity/v1alpha1/mfapingid.yaml similarity index 100% rename from examples-generated/identity/mfapingid.yaml rename to examples-generated/identity/v1alpha1/mfapingid.yaml diff --git a/examples-generated/identity/mfatotp.yaml b/examples-generated/identity/v1alpha1/mfatotp.yaml similarity index 100% rename from examples-generated/identity/mfatotp.yaml rename to examples-generated/identity/v1alpha1/mfatotp.yaml diff --git a/examples-generated/identity/oidc.yaml b/examples-generated/identity/v1alpha1/oidc.yaml similarity index 100% rename from examples-generated/identity/oidc.yaml rename to examples-generated/identity/v1alpha1/oidc.yaml diff --git a/examples-generated/identity/oidcassignment.yaml b/examples-generated/identity/v1alpha1/oidcassignment.yaml similarity index 100% rename from examples-generated/identity/oidcassignment.yaml rename to examples-generated/identity/v1alpha1/oidcassignment.yaml diff --git a/examples-generated/identity/oidcclient.yaml b/examples-generated/identity/v1alpha1/oidcclient.yaml similarity index 100% rename from examples-generated/identity/oidcclient.yaml rename to examples-generated/identity/v1alpha1/oidcclient.yaml diff --git a/examples-generated/identity/oidckey.yaml b/examples-generated/identity/v1alpha1/oidckey.yaml similarity index 74% rename from examples-generated/identity/oidckey.yaml rename to examples-generated/identity/v1alpha1/oidckey.yaml index 5666a436..9f53bfc3 100644 --- a/examples-generated/identity/oidckey.yaml +++ b/examples-generated/identity/v1alpha1/oidckey.yaml @@ -23,8 +23,12 @@ metadata: name: role spec: forProvider: - allowedClientId: ${vault_identity_oidc_role.role.client_id} - keyName: key + allowedClientIdSelector: + matchLabels: + testing.upbound.io/example-name: role + keyNameSelector: + matchLabels: + testing.upbound.io/example-name: key --- @@ -38,5 +42,7 @@ metadata: name: role spec: forProvider: - key: key + keySelector: + matchLabels: + testing.upbound.io/example-name: key name: role diff --git a/examples-generated/identity/oidckeyallowedclientid.yaml b/examples-generated/identity/v1alpha1/oidckeyallowedclientid.yaml similarity index 75% rename from examples-generated/identity/oidckeyallowedclientid.yaml rename to examples-generated/identity/v1alpha1/oidckeyallowedclientid.yaml index d0055caf..e9b47b8e 100644 --- a/examples-generated/identity/oidckeyallowedclientid.yaml +++ b/examples-generated/identity/v1alpha1/oidckeyallowedclientid.yaml @@ -8,8 +8,12 @@ metadata: name: role spec: forProvider: - allowedClientId: ${vault_identity_oidc_role.role.client_id} - keyName: key + allowedClientIdSelector: + matchLabels: + testing.upbound.io/example-name: role + keyNameSelector: + matchLabels: + testing.upbound.io/example-name: key --- @@ -38,5 +42,7 @@ metadata: name: role spec: forProvider: - key: key + keySelector: + matchLabels: + testing.upbound.io/example-name: example name: role diff --git a/examples-generated/identity/oidcprovider.yaml b/examples-generated/identity/v1alpha1/oidcprovider.yaml similarity index 100% rename from examples-generated/identity/oidcprovider.yaml rename to examples-generated/identity/v1alpha1/oidcprovider.yaml diff --git a/examples-generated/identity/oidcrole.yaml b/examples-generated/identity/v1alpha1/oidcrole.yaml similarity index 87% rename from examples-generated/identity/oidcrole.yaml rename to examples-generated/identity/v1alpha1/oidcrole.yaml index 62e66b24..3a7ed242 100644 --- a/examples-generated/identity/oidcrole.yaml +++ b/examples-generated/identity/v1alpha1/oidcrole.yaml @@ -8,7 +8,9 @@ metadata: name: role spec: forProvider: - key: ${var.key} + keySelector: + matchLabels: + testing.upbound.io/example-name: example name: role --- diff --git a/examples-generated/identity/oidcscope.yaml b/examples-generated/identity/v1alpha1/oidcscope.yaml similarity index 100% rename from examples-generated/identity/oidcscope.yaml rename to examples-generated/identity/v1alpha1/oidcscope.yaml diff --git a/examples-generated/jwt/authbackend.yaml b/examples-generated/jwt/v1alpha1/authbackend.yaml similarity index 100% rename from examples-generated/jwt/authbackend.yaml rename to examples-generated/jwt/v1alpha1/authbackend.yaml diff --git a/examples-generated/jwt/authbackendrole.yaml b/examples-generated/jwt/v1alpha1/authbackendrole.yaml similarity index 89% rename from examples-generated/jwt/authbackendrole.yaml rename to examples-generated/jwt/v1alpha1/authbackendrole.yaml index 314e6cc3..07b0014b 100644 --- a/examples-generated/jwt/authbackendrole.yaml +++ b/examples-generated/jwt/v1alpha1/authbackendrole.yaml @@ -8,7 +8,9 @@ metadata: name: example spec: forProvider: - backend: jwt + backendSelector: + matchLabels: + testing.upbound.io/example-name: jwt boundAudiences: - https://myco.test boundClaims: diff --git a/examples-generated/kmip/secretbackend.yaml b/examples-generated/kmip/v1alpha1/secretbackend.yaml similarity index 100% rename from examples-generated/kmip/secretbackend.yaml rename to examples-generated/kmip/v1alpha1/secretbackend.yaml diff --git a/examples-generated/kmip/secretrole.yaml b/examples-generated/kmip/v1alpha1/secretrole.yaml similarity index 79% rename from examples-generated/kmip/secretrole.yaml rename to examples-generated/kmip/v1alpha1/secretrole.yaml index 24623559..100bf903 100644 --- a/examples-generated/kmip/secretrole.yaml +++ b/examples-generated/kmip/v1alpha1/secretrole.yaml @@ -13,9 +13,13 @@ spec: operationDestroy: true operationGet: true operationGetAttributes: true - path: kmip + pathSelector: + matchLabels: + testing.upbound.io/example-name: dev role: admin - scope: dev + scopeSelector: + matchLabels: + testing.upbound.io/example-name: dev tlsClientKeyBits: 256 tlsClientKeyType: ec @@ -47,5 +51,7 @@ metadata: spec: forProvider: force: true - path: kmip + pathSelector: + matchLabels: + testing.upbound.io/example-name: example scope: dev diff --git a/examples-generated/kmip/secretscope.yaml b/examples-generated/kmip/v1alpha1/secretscope.yaml similarity index 86% rename from examples-generated/kmip/secretscope.yaml rename to examples-generated/kmip/v1alpha1/secretscope.yaml index 1ed88f1e..f6599552 100644 --- a/examples-generated/kmip/secretscope.yaml +++ b/examples-generated/kmip/v1alpha1/secretscope.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: force: true - path: kmip + pathSelector: + matchLabels: + testing.upbound.io/example-name: default scope: dev --- diff --git a/examples-generated/kubernetes/authbackendconfig.yaml b/examples-generated/kubernetes/v1alpha1/authbackendconfig.yaml similarity index 90% rename from examples-generated/kubernetes/authbackendconfig.yaml rename to examples-generated/kubernetes/v1alpha1/authbackendconfig.yaml index 6800139c..35d18ffd 100644 --- a/examples-generated/kubernetes/authbackendconfig.yaml +++ b/examples-generated/kubernetes/v1alpha1/authbackendconfig.yaml @@ -8,7 +8,9 @@ metadata: name: example spec: forProvider: - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: kubernetes disableIssValidation: "true" issuer: api kubernetesCaCert: |- diff --git a/examples-generated/kubernetes/authbackendrole.yaml b/examples-generated/kubernetes/v1alpha1/authbackendrole.yaml similarity index 88% rename from examples-generated/kubernetes/authbackendrole.yaml rename to examples-generated/kubernetes/v1alpha1/authbackendrole.yaml index 1ba11a57..63832b71 100644 --- a/examples-generated/kubernetes/authbackendrole.yaml +++ b/examples-generated/kubernetes/v1alpha1/authbackendrole.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: audience: vault - backend: cert + backendSelector: + matchLabels: + testing.upbound.io/example-name: kubernetes boundServiceAccountNames: - example boundServiceAccountNamespaces: diff --git a/examples-generated/kubernetes/secretbackend.yaml b/examples-generated/kubernetes/v1alpha1/secretbackend.yaml similarity index 100% rename from examples-generated/kubernetes/secretbackend.yaml rename to examples-generated/kubernetes/v1alpha1/secretbackend.yaml diff --git a/examples-generated/kubernetes/secretbackendrole.yaml b/examples-generated/kubernetes/v1alpha1/secretbackendrole.yaml similarity index 92% rename from examples-generated/kubernetes/secretbackendrole.yaml rename to examples-generated/kubernetes/v1alpha1/secretbackendrole.yaml index 95161338..614a4bc1 100644 --- a/examples-generated/kubernetes/secretbackendrole.yaml +++ b/examples-generated/kubernetes/v1alpha1/secretbackendrole.yaml @@ -10,7 +10,9 @@ spec: forProvider: allowedKubernetesNamespaces: - '*' - backend: kubernetes + backendSelector: + matchLabels: + testing.upbound.io/example-name: config extraAnnotations: env: development location: earth diff --git a/examples-generated/kv/secret.yaml b/examples-generated/kv/v1alpha1/secret.yaml similarity index 100% rename from examples-generated/kv/secret.yaml rename to examples-generated/kv/v1alpha1/secret.yaml diff --git a/examples-generated/kv/secretbackendv2.yaml b/examples-generated/kv/v1alpha1/secretbackendv2.yaml similarity index 88% rename from examples-generated/kv/secretbackendv2.yaml rename to examples-generated/kv/v1alpha1/secretbackendv2.yaml index d8f8e410..65724ab9 100644 --- a/examples-generated/kv/secretbackendv2.yaml +++ b/examples-generated/kv/v1alpha1/secretbackendv2.yaml @@ -11,7 +11,9 @@ spec: casRequired: true deleteVersionAfter: 12600 maxVersions: 5 - mount: dummy + mountSelector: + matchLabels: + testing.upbound.io/example-name: kvv2 --- diff --git a/examples-generated/kv/secretv2.yaml b/examples-generated/kv/v1alpha1/secretv2.yaml similarity index 90% rename from examples-generated/kv/secretv2.yaml rename to examples-generated/kv/v1alpha1/secretv2.yaml index 5118be5e..52995f09 100644 --- a/examples-generated/kv/secretv2.yaml +++ b/examples-generated/kv/v1alpha1/secretv2.yaml @@ -19,7 +19,9 @@ spec: name: example-secret namespace: upbound-system deleteAllVersions: true - mount: dummy + mountSelector: + matchLabels: + testing.upbound.io/example-name: kvv2 name: secret --- diff --git a/examples-generated/managed/keys.yaml b/examples-generated/managed/v1alpha1/keys.yaml similarity index 100% rename from examples-generated/managed/keys.yaml rename to examples-generated/managed/v1alpha1/keys.yaml diff --git a/examples-generated/mfa/duo.yaml b/examples-generated/mfa/v1alpha1/duo.yaml similarity index 88% rename from examples-generated/mfa/duo.yaml rename to examples-generated/mfa/v1alpha1/duo.yaml index c641194d..da2e818f 100644 --- a/examples-generated/mfa/duo.yaml +++ b/examples-generated/mfa/v1alpha1/duo.yaml @@ -13,7 +13,9 @@ spec: key: example-key name: example-secret namespace: upbound-system - mountAccessor: ${vault_auth_backend.userpass.accessor} + mountAccessorSelector: + matchLabels: + testing.upbound.io/example-name: userpass name: my_duo secretKeySecretRef: key: example-key diff --git a/examples-generated/mfa/okta.yaml b/examples-generated/mfa/v1alpha1/okta.yaml similarity index 87% rename from examples-generated/mfa/okta.yaml rename to examples-generated/mfa/v1alpha1/okta.yaml index 1d19d911..e937fd3e 100644 --- a/examples-generated/mfa/okta.yaml +++ b/examples-generated/mfa/v1alpha1/okta.yaml @@ -12,7 +12,9 @@ spec: key: example-key name: example-secret namespace: upbound-system - mountAccessor: ${vault_auth_backend.userpass.accessor} + mountAccessorSelector: + matchLabels: + testing.upbound.io/example-name: userpass name: my_okta orgName: hashicorp usernameFormat: user@example.com diff --git a/examples-generated/mfa/pingid.yaml b/examples-generated/mfa/v1alpha1/pingid.yaml similarity index 86% rename from examples-generated/mfa/pingid.yaml rename to examples-generated/mfa/v1alpha1/pingid.yaml index 246fbdd9..933b4d70 100644 --- a/examples-generated/mfa/pingid.yaml +++ b/examples-generated/mfa/v1alpha1/pingid.yaml @@ -8,7 +8,9 @@ metadata: name: my-pingid spec: forProvider: - mountAccessor: ${vault_auth_backend.userpass.accessor} + mountAccessorSelector: + matchLabels: + testing.upbound.io/example-name: userpass name: my_pingid settingsFileBase64: ${var.settings_file} usernameFormat: user@example.com diff --git a/examples-generated/mfa/totp.yaml b/examples-generated/mfa/v1alpha1/totp.yaml similarity index 100% rename from examples-generated/mfa/totp.yaml rename to examples-generated/mfa/v1alpha1/totp.yaml diff --git a/examples-generated/mongodbatlas/secretbackend.yaml b/examples-generated/mongodbatlas/v1alpha1/secretbackend.yaml similarity index 88% rename from examples-generated/mongodbatlas/secretbackend.yaml rename to examples-generated/mongodbatlas/v1alpha1/secretbackend.yaml index 41e0b4cc..f9e8660b 100644 --- a/examples-generated/mongodbatlas/secretbackend.yaml +++ b/examples-generated/mongodbatlas/v1alpha1/secretbackend.yaml @@ -8,7 +8,9 @@ metadata: name: config spec: forProvider: - mount: vault_mount.mongo.path + mountSelector: + matchLabels: + testing.upbound.io/example-name: mongo privateKey: privateKey publicKey: publicKey diff --git a/examples-generated/mongodbatlas/secretrole.yaml b/examples-generated/mongodbatlas/v1alpha1/secretrole.yaml similarity index 81% rename from examples-generated/mongodbatlas/secretrole.yaml rename to examples-generated/mongodbatlas/v1alpha1/secretrole.yaml index e9cf0b86..069aead8 100644 --- a/examples-generated/mongodbatlas/secretrole.yaml +++ b/examples-generated/mongodbatlas/v1alpha1/secretrole.yaml @@ -11,12 +11,16 @@ spec: cidrBlocks: 192.168.1.3/35 ipAddresses: 192.168.1.5, 192.168.1.6 maxTtl: "120" - mount: dummy + mountSelector: + matchLabels: + testing.upbound.io/example-name: mongo name: tf-test-role organizationId: 7cf5a45a9ccf6400e60981b7 projectId: 5cf5a45a9ccf6400e60981b6 - projectRoles: GROUP_READ_ONLY - roles: ORG_READ_ONLY + projectRoles: + - GROUP_READ_ONLY + roles: + - ORG_READ_ONLY ttl: "60" --- @@ -31,7 +35,9 @@ metadata: name: config spec: forProvider: - mount: vault_mount.mongo.path + mountSelector: + matchLabels: + testing.upbound.io/example-name: mongo privateKey: privateKey publicKey: publicKey diff --git a/examples-generated/nomad/secretbackend.yaml b/examples-generated/nomad/v1alpha1/secretbackend.yaml similarity index 100% rename from examples-generated/nomad/secretbackend.yaml rename to examples-generated/nomad/v1alpha1/secretbackend.yaml diff --git a/examples-generated/nomad/secretrole.yaml b/examples-generated/nomad/v1alpha1/secretrole.yaml similarity index 89% rename from examples-generated/nomad/secretrole.yaml rename to examples-generated/nomad/v1alpha1/secretrole.yaml index 5b50eed9..53351a5f 100644 --- a/examples-generated/nomad/secretrole.yaml +++ b/examples-generated/nomad/v1alpha1/secretrole.yaml @@ -8,7 +8,9 @@ metadata: name: test spec: forProvider: - backend: nomad + backendSelector: + matchLabels: + testing.upbound.io/example-name: config policies: - readonly role: test diff --git a/examples-generated/password/policy.yaml b/examples-generated/password/v1alpha1/policy.yaml similarity index 100% rename from examples-generated/password/policy.yaml rename to examples-generated/password/v1alpha1/policy.yaml diff --git a/examples-generated/pki/secretbackendcert.yaml b/examples-generated/pki/v1alpha1/secretbackendcert.yaml similarity index 60% rename from examples-generated/pki/secretbackendcert.yaml rename to examples-generated/pki/v1alpha1/secretbackendcert.yaml index 4916753e..7ee642a7 100644 --- a/examples-generated/pki/secretbackendcert.yaml +++ b/examples-generated/pki/v1alpha1/secretbackendcert.yaml @@ -8,6 +8,10 @@ metadata: name: app spec: forProvider: - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: intermediate commonName: app.my.domain - name: my_role + nameSelector: + matchLabels: + testing.upbound.io/example-name: test diff --git a/examples-generated/pki/secretbackendconfigca.yaml b/examples-generated/pki/v1alpha1/secretbackendconfigca.yaml similarity index 79% rename from examples-generated/pki/secretbackendconfigca.yaml rename to examples-generated/pki/v1alpha1/secretbackendconfigca.yaml index cb0c77ef..e16f97b0 100644 --- a/examples-generated/pki/secretbackendconfigca.yaml +++ b/examples-generated/pki/v1alpha1/secretbackendconfigca.yaml @@ -8,7 +8,9 @@ metadata: name: intermediate spec: forProvider: - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: intermediate pemBundleSecretRef: key: example-key name: example-secret diff --git a/examples-generated/pki/secretbackendconfigurls.yaml b/examples-generated/pki/v1alpha1/secretbackendconfigurls.yaml similarity index 88% rename from examples-generated/pki/secretbackendconfigurls.yaml rename to examples-generated/pki/v1alpha1/secretbackendconfigurls.yaml index 3212f167..36c5bf14 100644 --- a/examples-generated/pki/secretbackendconfigurls.yaml +++ b/examples-generated/pki/v1alpha1/secretbackendconfigurls.yaml @@ -8,7 +8,9 @@ metadata: name: example spec: forProvider: - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: root issuingCertificates: - http://127.0.0.1:8200/v1/pki/ca diff --git a/examples-generated/pki/secretbackendcrlconfig.yaml b/examples-generated/pki/v1alpha1/secretbackendcrlconfig.yaml similarity index 88% rename from examples-generated/pki/secretbackendcrlconfig.yaml rename to examples-generated/pki/v1alpha1/secretbackendcrlconfig.yaml index d5ec7c4e..bde625fe 100644 --- a/examples-generated/pki/secretbackendcrlconfig.yaml +++ b/examples-generated/pki/v1alpha1/secretbackendcrlconfig.yaml @@ -8,7 +8,9 @@ metadata: name: crl-config spec: forProvider: - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: pki disable: false expiry: 72h diff --git a/examples-generated/pki/secretbackendintermediatecertrequest.yaml b/examples-generated/pki/v1alpha1/secretbackendintermediatecertrequest.yaml similarity index 79% rename from examples-generated/pki/secretbackendintermediatecertrequest.yaml rename to examples-generated/pki/v1alpha1/secretbackendintermediatecertrequest.yaml index d8bf858c..0d5a1d8a 100644 --- a/examples-generated/pki/secretbackendintermediatecertrequest.yaml +++ b/examples-generated/pki/v1alpha1/secretbackendintermediatecertrequest.yaml @@ -8,6 +8,8 @@ metadata: name: test spec: forProvider: - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: pki commonName: app.my.domain type: internal diff --git a/examples-generated/pki/secretbackendintermediatesetsigned.yaml b/examples-generated/pki/v1alpha1/secretbackendintermediatesetsigned.yaml similarity index 84% rename from examples-generated/pki/secretbackendintermediatesetsigned.yaml rename to examples-generated/pki/v1alpha1/secretbackendintermediatesetsigned.yaml index 05d0ff0b..bd96cdd3 100644 --- a/examples-generated/pki/secretbackendintermediatesetsigned.yaml +++ b/examples-generated/pki/v1alpha1/secretbackendintermediatesetsigned.yaml @@ -8,8 +8,12 @@ metadata: name: example spec: forProvider: - backend: dummy - certificate: ${vault_pki_secret_backend_root_sign_intermediate.example.certificate} + backendSelector: + matchLabels: + testing.upbound.io/example-name: intermediate + certificateSelector: + matchLabels: + testing.upbound.io/example-name: example --- @@ -59,7 +63,9 @@ metadata: name: example spec: forProvider: - backend: pki-int + backendSelector: + matchLabels: + testing.upbound.io/example-name: example commonName: SubOrg Intermediate CA type: internal @@ -75,7 +81,9 @@ metadata: name: example spec: forProvider: - backend: pki-root + backendSelector: + matchLabels: + testing.upbound.io/example-name: example commonName: RootOrg Root CA country: US excludeCnFromSans: true diff --git a/examples-generated/pki/secretbackendrole.yaml b/examples-generated/pki/v1alpha1/secretbackendrole.yaml similarity index 89% rename from examples-generated/pki/secretbackendrole.yaml rename to examples-generated/pki/v1alpha1/secretbackendrole.yaml index 114e9e6c..98fcc071 100644 --- a/examples-generated/pki/secretbackendrole.yaml +++ b/examples-generated/pki/v1alpha1/secretbackendrole.yaml @@ -13,7 +13,9 @@ spec: allowedDomains: - example.com - my.domain - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: pki keyBits: 4096 keyType: rsa name: my_role diff --git a/examples-generated/pki/secretbackendrootcert.yaml b/examples-generated/pki/v1alpha1/secretbackendrootcert.yaml similarity index 84% rename from examples-generated/pki/secretbackendrootcert.yaml rename to examples-generated/pki/v1alpha1/secretbackendrootcert.yaml index d872b883..2735d8ac 100644 --- a/examples-generated/pki/secretbackendrootcert.yaml +++ b/examples-generated/pki/v1alpha1/secretbackendrootcert.yaml @@ -8,7 +8,9 @@ metadata: name: test spec: forProvider: - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: pki commonName: Root CA excludeCnFromSans: true format: pem diff --git a/examples-generated/pki/secretbackendsign.yaml b/examples-generated/pki/v1alpha1/secretbackendsign.yaml similarity index 92% rename from examples-generated/pki/secretbackendsign.yaml rename to examples-generated/pki/v1alpha1/secretbackendsign.yaml index 6816b10c..1ba27f3d 100644 --- a/examples-generated/pki/secretbackendsign.yaml +++ b/examples-generated/pki/v1alpha1/secretbackendsign.yaml @@ -8,7 +8,9 @@ metadata: name: test spec: forProvider: - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: pki commonName: test.my.domain csr: | -----BEGIN CERTIFICATE REQUEST----- @@ -38,4 +40,6 @@ spec: OTEc13lWf+B0PU9UJuGTsmpIuImPDVd0EVDayr3mT5dDbqTVDbe8ppf2IswABmf0 o3DybUeUmknYjl109rdSf+76nuREICHatxXgN3xCMFuBaN4WLO+ksd6Y1Ys= -----END CERTIFICATE REQUEST----- - name: my_role + nameSelector: + matchLabels: + testing.upbound.io/example-name: admin diff --git a/examples-generated/quota/leasecount.yaml b/examples-generated/quota/v1alpha1/leasecount.yaml similarity index 100% rename from examples-generated/quota/leasecount.yaml rename to examples-generated/quota/v1alpha1/leasecount.yaml diff --git a/examples-generated/quota/ratelimit.yaml b/examples-generated/quota/v1alpha1/ratelimit.yaml similarity index 100% rename from examples-generated/quota/ratelimit.yaml rename to examples-generated/quota/v1alpha1/ratelimit.yaml diff --git a/examples-generated/rabbitmq/secretbackend.yaml b/examples-generated/rabbitmq/v1alpha1/secretbackend.yaml similarity index 100% rename from examples-generated/rabbitmq/secretbackend.yaml rename to examples-generated/rabbitmq/v1alpha1/secretbackend.yaml diff --git a/examples-generated/rabbitmq/secretbackendrole.yaml b/examples-generated/rabbitmq/v1alpha1/secretbackendrole.yaml similarity index 91% rename from examples-generated/rabbitmq/secretbackendrole.yaml rename to examples-generated/rabbitmq/v1alpha1/secretbackendrole.yaml index bea9f9c0..5815b678 100644 --- a/examples-generated/rabbitmq/secretbackendrole.yaml +++ b/examples-generated/rabbitmq/v1alpha1/secretbackendrole.yaml @@ -8,7 +8,9 @@ metadata: name: role spec: forProvider: - backend: ${vault_rabbitmq_secret_backend.rabbitmq.path} + backendSelector: + matchLabels: + testing.upbound.io/example-name: rabbitmq name: deploy tags: tag1,tag2 vhost: diff --git a/examples-generated/raft/autopilot.yaml b/examples-generated/raft/v1alpha1/autopilot.yaml similarity index 100% rename from examples-generated/raft/autopilot.yaml rename to examples-generated/raft/v1alpha1/autopilot.yaml diff --git a/examples-generated/raft/snapshotagentconfig.yaml b/examples-generated/raft/v1alpha1/snapshotagentconfig.yaml similarity index 100% rename from examples-generated/raft/snapshotagentconfig.yaml rename to examples-generated/raft/v1alpha1/snapshotagentconfig.yaml diff --git a/examples-generated/rgp/policy.yaml b/examples-generated/rgp/v1alpha1/policy.yaml similarity index 100% rename from examples-generated/rgp/policy.yaml rename to examples-generated/rgp/v1alpha1/policy.yaml diff --git a/examples-generated/ssh/secretbackendca.yaml b/examples-generated/ssh/v1alpha1/secretbackendca.yaml similarity index 84% rename from examples-generated/ssh/secretbackendca.yaml rename to examples-generated/ssh/v1alpha1/secretbackendca.yaml index 73484e56..3acead41 100644 --- a/examples-generated/ssh/secretbackendca.yaml +++ b/examples-generated/ssh/v1alpha1/secretbackendca.yaml @@ -8,7 +8,9 @@ metadata: name: foo spec: forProvider: - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: example --- diff --git a/examples-generated/ssh/secretbackendrole.yaml b/examples-generated/ssh/v1alpha1/secretbackendrole.yaml similarity index 86% rename from examples-generated/ssh/secretbackendrole.yaml rename to examples-generated/ssh/v1alpha1/secretbackendrole.yaml index a5c0f1a0..b0f5d13e 100644 --- a/examples-generated/ssh/secretbackendrole.yaml +++ b/examples-generated/ssh/v1alpha1/secretbackendrole.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: allowUserCertificates: true - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: example keyType: ca name: my-role diff --git a/examples-generated/terraform/cloudsecretbackend.yaml b/examples-generated/terraform/v1alpha1/cloudsecretbackend.yaml similarity index 100% rename from examples-generated/terraform/cloudsecretbackend.yaml rename to examples-generated/terraform/v1alpha1/cloudsecretbackend.yaml diff --git a/examples-generated/terraform/cloudsecretcreds.yaml b/examples-generated/terraform/v1alpha1/cloudsecretcreds.yaml similarity index 79% rename from examples-generated/terraform/cloudsecretcreds.yaml rename to examples-generated/terraform/v1alpha1/cloudsecretcreds.yaml index 37463d33..10921fe0 100644 --- a/examples-generated/terraform/cloudsecretcreds.yaml +++ b/examples-generated/terraform/v1alpha1/cloudsecretcreds.yaml @@ -8,8 +8,12 @@ metadata: name: token spec: forProvider: - backend: terraform - role: test-role + backendSelector: + matchLabels: + testing.upbound.io/example-name: test + roleSelector: + matchLabels: + testing.upbound.io/example-name: example --- @@ -42,7 +46,9 @@ metadata: name: example spec: forProvider: - backend: terraform + backendSelector: + matchLabels: + testing.upbound.io/example-name: example name: test-role organization: example-organization-name teamId: team-ieF4isC... diff --git a/examples-generated/terraform/cloudsecretrole.yaml b/examples-generated/terraform/v1alpha1/cloudsecretrole.yaml similarity index 90% rename from examples-generated/terraform/cloudsecretrole.yaml rename to examples-generated/terraform/v1alpha1/cloudsecretrole.yaml index bd480320..8ee2e71b 100644 --- a/examples-generated/terraform/cloudsecretrole.yaml +++ b/examples-generated/terraform/v1alpha1/cloudsecretrole.yaml @@ -8,7 +8,9 @@ metadata: name: example spec: forProvider: - backend: terraform + backendSelector: + matchLabels: + testing.upbound.io/example-name: test name: test-role organization: example-organization-name teamId: team-ieF4isC... diff --git a/examples-generated/token/authbackendrole.yaml b/examples-generated/token/v1alpha1/authbackendrole.yaml similarity index 100% rename from examples-generated/token/authbackendrole.yaml rename to examples-generated/token/v1alpha1/authbackendrole.yaml diff --git a/examples-generated/transform/alphabet.yaml b/examples-generated/transform/v1alpha1/alphabet.yaml similarity index 85% rename from examples-generated/transform/alphabet.yaml rename to examples-generated/transform/v1alpha1/alphabet.yaml index 1c20a644..92587247 100644 --- a/examples-generated/transform/alphabet.yaml +++ b/examples-generated/transform/v1alpha1/alphabet.yaml @@ -10,7 +10,9 @@ spec: forProvider: alphabet: "0123456789" name: numerics - path: dummy + pathSelector: + matchLabels: + testing.upbound.io/example-name: mount_transform --- diff --git a/examples-generated/transform/role.yaml b/examples-generated/transform/v1alpha1/role.yaml similarity index 85% rename from examples-generated/transform/role.yaml rename to examples-generated/transform/v1alpha1/role.yaml index d259f2b6..10ddfffb 100644 --- a/examples-generated/transform/role.yaml +++ b/examples-generated/transform/v1alpha1/role.yaml @@ -9,7 +9,9 @@ metadata: spec: forProvider: name: payments - path: dummy + pathSelector: + matchLabels: + testing.upbound.io/example-name: mount_transform transformations: - ccn-fpe diff --git a/examples-generated/transform/template.yaml b/examples-generated/transform/v1alpha1/template.yaml similarity index 85% rename from examples-generated/transform/template.yaml rename to examples-generated/transform/v1alpha1/template.yaml index 743fe9f1..d166bdaa 100644 --- a/examples-generated/transform/template.yaml +++ b/examples-generated/transform/v1alpha1/template.yaml @@ -13,7 +13,9 @@ spec: last-four-digits: $4 encodeFormat: $1-$2-$3-$4 name: ccn - path: dummy + pathSelector: + matchLabels: + testing.upbound.io/example-name: numerics pattern: (\d{4})[- ](\d{4})[- ](\d{4})[- ](\d{4}) type: regex @@ -46,4 +48,6 @@ spec: forProvider: alphabet: "0123456789" name: numerics - path: transform + pathSelector: + matchLabels: + testing.upbound.io/example-name: example diff --git a/examples-generated/transform/transformation.yaml b/examples-generated/transform/v1alpha1/transformation.yaml similarity index 88% rename from examples-generated/transform/transformation.yaml rename to examples-generated/transform/v1alpha1/transformation.yaml index 20265863..b2474866 100644 --- a/examples-generated/transform/transformation.yaml +++ b/examples-generated/transform/v1alpha1/transformation.yaml @@ -11,7 +11,9 @@ spec: allowedRoles: - payments name: ccn-fpe - path: dummy + pathSelector: + matchLabels: + testing.upbound.io/example-name: example template: ccn tweakSource: internal type: fpe diff --git a/examples-generated/transit/secretbackendkey.yaml b/examples-generated/transit/v1alpha1/secretbackendkey.yaml similarity index 87% rename from examples-generated/transit/secretbackendkey.yaml rename to examples-generated/transit/v1alpha1/secretbackendkey.yaml index d48af0f2..5dde1ee2 100644 --- a/examples-generated/transit/secretbackendkey.yaml +++ b/examples-generated/transit/v1alpha1/secretbackendkey.yaml @@ -8,7 +8,9 @@ metadata: name: key spec: forProvider: - backend: dummy + backendSelector: + matchLabels: + testing.upbound.io/example-name: transit name: my_key --- diff --git a/examples-generated/vault/audit.yaml b/examples-generated/vault/v1alpha1/audit.yaml similarity index 100% rename from examples-generated/vault/audit.yaml rename to examples-generated/vault/v1alpha1/audit.yaml diff --git a/examples-generated/vault/mount.yaml b/examples-generated/vault/v1alpha1/mount.yaml similarity index 100% rename from examples-generated/vault/mount.yaml rename to examples-generated/vault/v1alpha1/mount.yaml diff --git a/examples-generated/vault/policy.yaml b/examples-generated/vault/v1alpha1/policy.yaml similarity index 100% rename from examples-generated/vault/policy.yaml rename to examples-generated/vault/v1alpha1/policy.yaml diff --git a/examples-generated/vault/token.yaml b/examples-generated/vault/v1alpha1/token.yaml similarity index 100% rename from examples-generated/vault/token.yaml rename to examples-generated/vault/v1alpha1/token.yaml diff --git a/examples-generated/vault/vaultnamespace.yaml b/examples-generated/vault/v1alpha1/vaultnamespace.yaml similarity index 100% rename from examples-generated/vault/vaultnamespace.yaml rename to examples-generated/vault/v1alpha1/vaultnamespace.yaml diff --git a/go.mod b/go.mod index 5efdf78c..8b347170 100644 --- a/go.mod +++ b/go.mod @@ -1,135 +1,230 @@ module github.com/upbound/provider-vault -go 1.20 +go 1.21 require ( - github.com/crossplane/crossplane-runtime v0.20.0 - github.com/crossplane/crossplane-tools v0.0.0-20230714144037-2684f4bc7638 + dario.cat/mergo v1.0.1 + github.com/crossplane/crossplane-runtime v1.16.0 + github.com/crossplane/crossplane-tools v0.0.0-20240522174801-1ad3d4c87f21 + github.com/crossplane/upjet v1.4.1-0.20240911184956-3afbb7796d46 + github.com/hashicorp/terraform-json v0.22.1 + github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0 + github.com/hashicorp/terraform-provider-vault v1.9.1-0.20241010163921-0318b6b4523e github.com/pkg/errors v0.9.1 - github.com/upbound/upjet v0.9.0-rc.0.0.20230801094152-39dcb37efd81 gopkg.in/alecthomas/kingpin.v2 v2.2.6 - k8s.io/apimachinery v0.27.3 - k8s.io/client-go v0.27.3 - sigs.k8s.io/controller-runtime v0.15.0 - sigs.k8s.io/controller-tools v0.12.1 + k8s.io/apimachinery v0.29.1 + k8s.io/client-go v0.29.1 + sigs.k8s.io/controller-runtime v0.17.0 + sigs.k8s.io/controller-tools v0.14.0 ) require ( - dario.cat/mergo v1.0.0 // indirect + cloud.google.com/go/compute v1.23.3 // indirect + cloud.google.com/go/compute/metadata v0.2.3 // indirect + cloud.google.com/go/iam v1.1.5 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 // indirect + github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect + github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/ProtonMail/go-crypto v1.1.0-alpha.0 // indirect github.com/agext/levenshtein v1.2.3 // indirect + github.com/alecthomas/kingpin/v2 v2.4.0 // indirect github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect github.com/antchfx/htmlquery v1.2.4 // indirect github.com/antchfx/xpath v1.2.0 // indirect - github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect + github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect + github.com/armon/go-metrics v0.4.1 // indirect + github.com/armon/go-radix v1.0.0 // indirect + github.com/aws/aws-sdk-go v1.50.13 // indirect github.com/beorn7/perks v1.0.1 // indirect - github.com/cenkalti/backoff/v3 v3.0.0 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect + github.com/cenkalti/backoff/v3 v3.2.2 // indirect + github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/dave/jennifer v1.4.1 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.10.2 // indirect - github.com/evanphx/json-patch/v5 v5.6.0 // indirect + github.com/cloudflare/circl v1.3.7 // indirect + github.com/coreos/go-oidc/v3 v3.10.0 // indirect + github.com/dave/jennifer v1.7.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/distribution/reference v0.6.0 // indirect + github.com/docker/docker v25.0.6+incompatible // indirect + github.com/docker/go-connections v0.5.0 // indirect + github.com/docker/go-units v0.5.0 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/evanphx/json-patch v5.6.0+incompatible // indirect + github.com/evanphx/json-patch/v5 v5.8.0 // indirect github.com/fatih/camelcase v1.0.0 // indirect - github.com/fatih/color v1.15.0 // indirect - github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/go-jose/go-jose/v3 v3.0.0 // indirect - github.com/go-logr/logr v1.2.4 // indirect - github.com/go-logr/zapr v1.2.4 // indirect + github.com/fatih/color v1.16.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect + github.com/go-jose/go-jose/v3 v3.0.3 // indirect + github.com/go-jose/go-jose/v4 v4.0.1 // indirect + github.com/go-ldap/ldap/v3 v3.4.6 // indirect + github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect github.com/gobuffalo/flect v1.0.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/mock v1.6.0 // indirect - github.com/golang/protobuf v1.5.3 // indirect - github.com/google/gnostic v0.6.9 // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/golang/snappy v0.0.4 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/google/s2a-go v0.1.7 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect + github.com/googleapis/gax-go/v2 v2.12.0 // indirect + github.com/gosimple/slug v1.13.1 // indirect + github.com/gosimple/unidecode v1.0.1 // indirect + github.com/hashicorp/cap v0.6.0 // indirect + github.com/hashicorp/cap/ldap v0.0.0-20240328153749-fcfe271d0227 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect + github.com/hashicorp/go-checkpoint v0.5.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 // indirect - github.com/hashicorp/go-hclog v1.2.1 // indirect + github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637 // indirect + github.com/hashicorp/go-hclog v1.6.3 // indirect + github.com/hashicorp/go-immutable-radix v1.3.1 // indirect + github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1 // indirect + github.com/hashicorp/go-kms-wrapping/v2 v2.0.16 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-retryablehttp v0.7.1 // indirect + github.com/hashicorp/go-plugin v1.6.0 // indirect + github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect - github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect + github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 // indirect + github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 // indirect + github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 // indirect + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect + github.com/hashicorp/go-secure-stdlib/plugincontainer v0.3.0 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect - github.com/hashicorp/go-sockaddr v1.0.2 // indirect + github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.3 // indirect + github.com/hashicorp/go-sockaddr v1.0.6 // indirect github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/hashicorp/go-version v1.6.0 // indirect - github.com/hashicorp/hcl v1.0.0 // indirect - github.com/hashicorp/hcl/v2 v2.14.1 // indirect + github.com/hashicorp/golang-lru v1.0.2 // indirect + github.com/hashicorp/hc-install v0.6.3 // indirect + github.com/hashicorp/hcl v1.0.1-vault-5 // indirect + github.com/hashicorp/hcl/v2 v2.19.1 // indirect github.com/hashicorp/logutils v1.0.0 // indirect - github.com/hashicorp/terraform-json v0.14.0 // indirect - github.com/hashicorp/terraform-plugin-go v0.14.0 // indirect - github.com/hashicorp/terraform-plugin-log v0.7.0 // indirect - github.com/hashicorp/terraform-plugin-sdk/v2 v2.24.0 // indirect - github.com/hashicorp/vault/api v1.9.2 // indirect + github.com/hashicorp/terraform-exec v0.20.0 // indirect + github.com/hashicorp/terraform-plugin-framework v1.4.1 // indirect + github.com/hashicorp/terraform-plugin-go v0.22.0 // indirect + github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect + github.com/hashicorp/terraform-registry-address v0.2.3 // indirect + github.com/hashicorp/terraform-svchost v0.1.1 // indirect + github.com/hashicorp/vault-plugin-auth-jwt v0.20.3 // indirect + github.com/hashicorp/vault-plugin-auth-kerberos v0.11.0 // indirect + github.com/hashicorp/vault-plugin-auth-oci v0.15.1 // indirect + github.com/hashicorp/vault/api v1.14.0 // indirect + github.com/hashicorp/vault/sdk v0.13.0 // indirect + github.com/hashicorp/yamux v0.1.1 // indirect github.com/iancoleman/strcase v0.2.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/jcmturner/aescts/v2 v2.0.0 // indirect + github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect + github.com/jcmturner/gofork v1.7.6 // indirect + github.com/jcmturner/goidentity/v6 v6.0.1 // indirect + github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect + github.com/jcmturner/rpc/v2 v2.0.3 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect + github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.17 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect + github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/go-ps v1.0.0 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/mitchellh/go-wordwrap v1.0.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/mitchellh/pointerstructure v1.2.1 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/muvaf/typewriter v0.0.0-20220131201631-921e94e8e8d7 // indirect - github.com/prometheus/client_golang v1.15.1 // indirect - github.com/prometheus/client_model v0.4.0 // indirect - github.com/prometheus/common v0.44.0 // indirect - github.com/prometheus/procfs v0.10.0 // indirect + github.com/natefinch/atomic v1.0.1 // indirect + github.com/oklog/run v1.1.0 // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/opencontainers/image-spec v1.1.0-rc5 // indirect + github.com/oracle/oci-go-sdk/v59 v59.0.0 // indirect + github.com/patrickmn/go-cache v2.1.0+incompatible // indirect + github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect + github.com/pierrec/lz4 v2.6.1+incompatible // indirect + github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + github.com/prometheus/client_golang v1.18.0 // indirect + github.com/prometheus/client_model v0.5.0 // indirect + github.com/prometheus/common v0.45.0 // indirect + github.com/prometheus/procfs v0.12.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect - github.com/spf13/afero v1.9.5 // indirect - github.com/spf13/cobra v1.7.0 // indirect + github.com/sasha-s/go-deadlock v0.2.0 // indirect + github.com/sony/gobreaker v0.5.0 // indirect + github.com/spf13/afero v1.11.0 // indirect + github.com/spf13/cobra v1.8.0 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/stretchr/testify v1.9.0 // indirect github.com/tmccombs/hcl2json v0.3.3 // indirect github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect - github.com/vmihailenco/msgpack/v4 v4.3.12 // indirect - github.com/vmihailenco/tagparser v0.1.1 // indirect + github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect + github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect + github.com/xhit/go-str2duration/v2 v2.1.0 // indirect github.com/yuin/goldmark v1.4.13 // indirect - github.com/zclconf/go-cty v1.11.0 // indirect + github.com/zclconf/go-cty v1.14.4 // indirect + github.com/zclconf/go-cty-yaml v1.0.3 // indirect + go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 // indirect + go.opentelemetry.io/otel v1.24.0 // indirect + go.opentelemetry.io/otel/metric v1.24.0 // indirect + go.opentelemetry.io/otel/trace v1.24.0 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.24.0 // indirect - golang.org/x/crypto v0.11.0 // indirect - golang.org/x/mod v0.12.0 // indirect - golang.org/x/net v0.12.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/term v0.10.0 // indirect - golang.org/x/text v0.11.0 // indirect - golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.11.0 // indirect - gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect - google.golang.org/grpc v1.56.2 // indirect - google.golang.org/protobuf v1.31.0 // indirect + go.uber.org/zap v1.26.0 // indirect + golang.org/x/crypto v0.24.0 // indirect + golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect + golang.org/x/mod v0.17.0 // indirect + golang.org/x/net v0.26.0 // indirect + golang.org/x/oauth2 v0.18.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/term v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect + golang.org/x/time v0.5.0 // indirect + golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/api v0.163.0 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe // indirect + google.golang.org/grpc v1.61.1 // indirect + google.golang.org/protobuf v1.34.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/jcmturner/goidentity.v3 v3.0.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.27.3 // indirect - k8s.io/apiextensions-apiserver v0.27.3 // indirect - k8s.io/component-base v0.27.3 // indirect - k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-openapi v0.0.0-20230525220651-2546d827e515 // indirect - k8s.io/utils v0.0.0-20230505201702-9f6742963106 // indirect + k8s.io/api v0.29.1 // indirect + k8s.io/apiextensions-apiserver v0.29.1 // indirect + k8s.io/component-base v0.29.1 // indirect + k8s.io/klog/v2 v2.110.1 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect - sigs.k8s.io/yaml v1.3.0 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) - -replace github.com/upbound/upjet => github.com/haarchri/upjet v0.9.0-rc.0.0.20230801-af46bef5eab5fc8482e02f29e56f5373d02cb4c7 diff --git a/go.sum b/go.sum index 7af8765f..6d219677 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= +bazil.org/fuse v0.0.0-20200407214033-5883e5a4b512/go.mod h1:FbcW6z/2VytnFDhZfumh8Ss8zxHE6qpMP5sHTRe0EaM= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -17,129 +19,1829 @@ cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHOb cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= +cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= +cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= +cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= +cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= +cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= +cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= +cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= +cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U= +cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= +cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= +cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= +cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA= +cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM= +cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I= +cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY= +cloud.google.com/go v0.110.2/go.mod h1:k04UEeEtb6ZBRTv3dZz4CeJC3jKGxyhl0sAiVVquxiw= +cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= +cloud.google.com/go v0.110.6/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= +cloud.google.com/go v0.110.7/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= +cloud.google.com/go v0.110.8/go.mod h1:Iz8AkXJf1qmxC3Oxoep8R1T36w8B92yU29PcBhHO5fk= +cloud.google.com/go v0.110.9/go.mod h1:rpxevX/0Lqvlbc88b7Sc1SPNdyK1riNBTUU6JXhYNpM= +cloud.google.com/go v0.110.10/go.mod h1:v1OoFqYxiBkUrruItNM3eT4lLByNjxmJSV/xDKJNnic= +cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4= +cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw= +cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E= +cloud.google.com/go/accessapproval v1.7.1/go.mod h1:JYczztsHRMK7NTXb6Xw+dwbs/WnOJxbo/2mTI+Kgg68= +cloud.google.com/go/accessapproval v1.7.2/go.mod h1:/gShiq9/kK/h8T/eEn1BTzalDvk0mZxJlhfw0p+Xuc0= +cloud.google.com/go/accessapproval v1.7.3/go.mod h1:4l8+pwIxGTNqSf4T3ds8nLO94NQf0W/KnMNuQ9PbnP8= +cloud.google.com/go/accessapproval v1.7.4/go.mod h1:/aTEh45LzplQgFYdQdwPMR9YdX0UlhBmvB84uAmQKUc= +cloud.google.com/go/accesscontextmanager v1.3.0/go.mod h1:TgCBehyr5gNMz7ZaH9xubp+CE8dkrszb4oK9CWyvD4o= +cloud.google.com/go/accesscontextmanager v1.4.0/go.mod h1:/Kjh7BBu/Gh83sv+K60vN9QE5NJcd80sU33vIe2IFPE= +cloud.google.com/go/accesscontextmanager v1.6.0/go.mod h1:8XCvZWfYw3K/ji0iVnp+6pu7huxoQTLmxAbVjbloTtM= +cloud.google.com/go/accesscontextmanager v1.7.0/go.mod h1:CEGLewx8dwa33aDAZQujl7Dx+uYhS0eay198wB/VumQ= +cloud.google.com/go/accesscontextmanager v1.8.0/go.mod h1:uI+AI/r1oyWK99NN8cQ3UK76AMelMzgZCvJfsi2c+ps= +cloud.google.com/go/accesscontextmanager v1.8.1/go.mod h1:JFJHfvuaTC+++1iL1coPiG1eu5D24db2wXCDWDjIrxo= +cloud.google.com/go/accesscontextmanager v1.8.2/go.mod h1:E6/SCRM30elQJ2PKtFMs2YhfJpZSNcJyejhuzoId4Zk= +cloud.google.com/go/accesscontextmanager v1.8.3/go.mod h1:4i/JkF2JiFbhLnnpnfoTX5vRXfhf9ukhU1ANOTALTOQ= +cloud.google.com/go/accesscontextmanager v1.8.4/go.mod h1:ParU+WbMpD34s5JFEnGAnPBYAgUHozaTmDJU7aCU9+M= +cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw= +cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY= +cloud.google.com/go/aiplatform v1.27.0/go.mod h1:Bvxqtl40l0WImSb04d0hXFU7gDOiq9jQmorivIiWcKg= +cloud.google.com/go/aiplatform v1.35.0/go.mod h1:7MFT/vCaOyZT/4IIFfxH4ErVg/4ku6lKv3w0+tFTgXQ= +cloud.google.com/go/aiplatform v1.36.1/go.mod h1:WTm12vJRPARNvJ+v6P52RDHCNe4AhvjcIZ/9/RRHy/k= +cloud.google.com/go/aiplatform v1.37.0/go.mod h1:IU2Cv29Lv9oCn/9LkFiiuKfwrRTq+QQMbW+hPCxJGZw= +cloud.google.com/go/aiplatform v1.45.0/go.mod h1:Iu2Q7sC7QGhXUeOhAj/oCK9a+ULz1O4AotZiqjQ8MYA= +cloud.google.com/go/aiplatform v1.48.0/go.mod h1:Iu2Q7sC7QGhXUeOhAj/oCK9a+ULz1O4AotZiqjQ8MYA= +cloud.google.com/go/aiplatform v1.50.0/go.mod h1:IRc2b8XAMTa9ZmfJV1BCCQbieWWvDnP1A8znyz5N7y4= +cloud.google.com/go/aiplatform v1.51.0/go.mod h1:IRc2b8XAMTa9ZmfJV1BCCQbieWWvDnP1A8znyz5N7y4= +cloud.google.com/go/aiplatform v1.51.1/go.mod h1:kY3nIMAVQOK2XDqDPHaOuD9e+FdMA6OOpfBjsvaFSOo= +cloud.google.com/go/aiplatform v1.51.2/go.mod h1:hCqVYB3mY45w99TmetEoe8eCQEwZEp9WHxeZdcv9phw= +cloud.google.com/go/aiplatform v1.52.0/go.mod h1:pwZMGvqe0JRkI1GWSZCtnAfrR4K1bv65IHILGA//VEU= +cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI= +cloud.google.com/go/analytics v0.12.0/go.mod h1:gkfj9h6XRf9+TS4bmuhPEShsh3hH8PAZzm/41OOhQd4= +cloud.google.com/go/analytics v0.17.0/go.mod h1:WXFa3WSym4IZ+JiKmavYdJwGG/CvpqiqczmL59bTD9M= +cloud.google.com/go/analytics v0.18.0/go.mod h1:ZkeHGQlcIPkw0R/GW+boWHhCOR43xz9RN/jn7WcqfIE= +cloud.google.com/go/analytics v0.19.0/go.mod h1:k8liqf5/HCnOUkbawNtrWWc+UAzyDlW89doe8TtoDsE= +cloud.google.com/go/analytics v0.21.2/go.mod h1:U8dcUtmDmjrmUTnnnRnI4m6zKn/yaA5N9RlEkYFHpQo= +cloud.google.com/go/analytics v0.21.3/go.mod h1:U8dcUtmDmjrmUTnnnRnI4m6zKn/yaA5N9RlEkYFHpQo= +cloud.google.com/go/analytics v0.21.4/go.mod h1:zZgNCxLCy8b2rKKVfC1YkC2vTrpfZmeRCySM3aUbskA= +cloud.google.com/go/analytics v0.21.5/go.mod h1:BQtOBHWTlJ96axpPPnw5CvGJ6i3Ve/qX2fTxR8qWyr8= +cloud.google.com/go/analytics v0.21.6/go.mod h1:eiROFQKosh4hMaNhF85Oc9WO97Cpa7RggD40e/RBy8w= +cloud.google.com/go/apigateway v1.3.0/go.mod h1:89Z8Bhpmxu6AmUxuVRg/ECRGReEdiP3vQtk4Z1J9rJk= +cloud.google.com/go/apigateway v1.4.0/go.mod h1:pHVY9MKGaH9PQ3pJ4YLzoj6U5FUDeDFBllIz7WmzJoc= +cloud.google.com/go/apigateway v1.5.0/go.mod h1:GpnZR3Q4rR7LVu5951qfXPJCHquZt02jf7xQx7kpqN8= +cloud.google.com/go/apigateway v1.6.1/go.mod h1:ufAS3wpbRjqfZrzpvLC2oh0MFlpRJm2E/ts25yyqmXA= +cloud.google.com/go/apigateway v1.6.2/go.mod h1:CwMC90nnZElorCW63P2pAYm25AtQrHfuOkbRSHj0bT8= +cloud.google.com/go/apigateway v1.6.3/go.mod h1:k68PXWpEs6BVDTtnLQAyG606Q3mz8pshItwPXjgv44Y= +cloud.google.com/go/apigateway v1.6.4/go.mod h1:0EpJlVGH5HwAN4VF4Iec8TAzGN1aQgbxAWGJsnPCGGY= +cloud.google.com/go/apigeeconnect v1.3.0/go.mod h1:G/AwXFAKo0gIXkPTVfZDd2qA1TxBXJ3MgMRBQkIi9jc= +cloud.google.com/go/apigeeconnect v1.4.0/go.mod h1:kV4NwOKqjvt2JYR0AoIWo2QGfoRtn/pkS3QlHp0Ni04= +cloud.google.com/go/apigeeconnect v1.5.0/go.mod h1:KFaCqvBRU6idyhSNyn3vlHXc8VMDJdRmwDF6JyFRqZ8= +cloud.google.com/go/apigeeconnect v1.6.1/go.mod h1:C4awq7x0JpLtrlQCr8AzVIzAaYgngRqWf9S5Uhg+wWs= +cloud.google.com/go/apigeeconnect v1.6.2/go.mod h1:s6O0CgXT9RgAxlq3DLXvG8riw8PYYbU/v25jqP3Dy18= +cloud.google.com/go/apigeeconnect v1.6.3/go.mod h1:peG0HFQ0si2bN15M6QSjEW/W7Gy3NYkWGz7pFz13cbo= +cloud.google.com/go/apigeeconnect v1.6.4/go.mod h1:CapQCWZ8TCjnU0d7PobxhpOdVz/OVJ2Hr/Zcuu1xFx0= +cloud.google.com/go/apigeeregistry v0.4.0/go.mod h1:EUG4PGcsZvxOXAdyEghIdXwAEi/4MEaoqLMLDMIwKXY= +cloud.google.com/go/apigeeregistry v0.5.0/go.mod h1:YR5+s0BVNZfVOUkMa5pAR2xGd0A473vA5M7j247o1wM= +cloud.google.com/go/apigeeregistry v0.6.0/go.mod h1:BFNzW7yQVLZ3yj0TKcwzb8n25CFBri51GVGOEUcgQsc= +cloud.google.com/go/apigeeregistry v0.7.1/go.mod h1:1XgyjZye4Mqtw7T9TsY4NW10U7BojBvG4RMD+vRDrIw= +cloud.google.com/go/apigeeregistry v0.7.2/go.mod h1:9CA2B2+TGsPKtfi3F7/1ncCCsL62NXBRfM6iPoGSM+8= +cloud.google.com/go/apigeeregistry v0.8.1/go.mod h1:MW4ig1N4JZQsXmBSwH4rwpgDonocz7FPBSw6XPGHmYw= +cloud.google.com/go/apigeeregistry v0.8.2/go.mod h1:h4v11TDGdeXJDJvImtgK2AFVvMIgGWjSb0HRnBSjcX8= +cloud.google.com/go/apikeys v0.4.0/go.mod h1:XATS/yqZbaBK0HOssf+ALHp8jAlNHUgyfprvNcBIszU= +cloud.google.com/go/apikeys v0.5.0/go.mod h1:5aQfwY4D+ewMMWScd3hm2en3hCj+BROlyrt3ytS7KLI= +cloud.google.com/go/apikeys v0.6.0/go.mod h1:kbpXu5upyiAlGkKrJgQl8A0rKNNJ7dQ377pdroRSSi8= +cloud.google.com/go/appengine v1.4.0/go.mod h1:CS2NhuBuDXM9f+qscZ6V86m1MIIqPj3WC/UoEuR1Sno= +cloud.google.com/go/appengine v1.5.0/go.mod h1:TfasSozdkFI0zeoxW3PTBLiNqRmzraodCWatWI9Dmak= +cloud.google.com/go/appengine v1.6.0/go.mod h1:hg6i0J/BD2cKmDJbaFSYHFyZkgBEfQrDg/X0V5fJn84= +cloud.google.com/go/appengine v1.7.0/go.mod h1:eZqpbHFCqRGa2aCdope7eC0SWLV1j0neb/QnMJVWx6A= +cloud.google.com/go/appengine v1.7.1/go.mod h1:IHLToyb/3fKutRysUlFO0BPt5j7RiQ45nrzEJmKTo6E= +cloud.google.com/go/appengine v1.8.1/go.mod h1:6NJXGLVhZCN9aQ/AEDvmfzKEfoYBlfB80/BHiKVputY= +cloud.google.com/go/appengine v1.8.2/go.mod h1:WMeJV9oZ51pvclqFN2PqHoGnys7rK0rz6s3Mp6yMvDo= +cloud.google.com/go/appengine v1.8.3/go.mod h1:2oUPZ1LVZ5EXi+AF1ihNAF+S8JrzQ3till5m9VQkrsk= +cloud.google.com/go/appengine v1.8.4/go.mod h1:TZ24v+wXBujtkK77CXCpjZbnuTvsFNT41MUaZ28D6vg= +cloud.google.com/go/area120 v0.5.0/go.mod h1:DE/n4mp+iqVyvxHN41Vf1CR602GiHQjFPusMFW6bGR4= +cloud.google.com/go/area120 v0.6.0/go.mod h1:39yFJqWVgm0UZqWTOdqkLhjoC7uFfgXRC8g/ZegeAh0= +cloud.google.com/go/area120 v0.7.0/go.mod h1:a3+8EUD1SX5RUcCs3MY5YasiO1z6yLiNLRiFrykbynY= +cloud.google.com/go/area120 v0.7.1/go.mod h1:j84i4E1RboTWjKtZVWXPqvK5VHQFJRF2c1Nm69pWm9k= +cloud.google.com/go/area120 v0.8.1/go.mod h1:BVfZpGpB7KFVNxPiQBuHkX6Ed0rS51xIgmGyjrAfzsg= +cloud.google.com/go/area120 v0.8.2/go.mod h1:a5qfo+x77SRLXnCynFWPUZhnZGeSgvQ+Y0v1kSItkh4= +cloud.google.com/go/area120 v0.8.3/go.mod h1:5zj6pMzVTH+SVHljdSKC35sriR/CVvQZzG/Icdyriw0= +cloud.google.com/go/area120 v0.8.4/go.mod h1:jfawXjxf29wyBXr48+W+GyX/f8fflxp642D/bb9v68M= +cloud.google.com/go/artifactregistry v1.6.0/go.mod h1:IYt0oBPSAGYj/kprzsBjZ/4LnG/zOcHyFHjWPCi6SAQ= +cloud.google.com/go/artifactregistry v1.7.0/go.mod h1:mqTOFOnGZx8EtSqK/ZWcsm/4U8B77rbcLP6ruDU2Ixk= +cloud.google.com/go/artifactregistry v1.8.0/go.mod h1:w3GQXkJX8hiKN0v+at4b0qotwijQbYUqF2GWkZzAhC0= +cloud.google.com/go/artifactregistry v1.9.0/go.mod h1:2K2RqvA2CYvAeARHRkLDhMDJ3OXy26h3XW+3/Jh2uYc= +cloud.google.com/go/artifactregistry v1.11.1/go.mod h1:lLYghw+Itq9SONbCa1YWBoWs1nOucMH0pwXN1rOBZFI= +cloud.google.com/go/artifactregistry v1.11.2/go.mod h1:nLZns771ZGAwVLzTX/7Al6R9ehma4WUEhZGWV6CeQNQ= +cloud.google.com/go/artifactregistry v1.12.0/go.mod h1:o6P3MIvtzTOnmvGagO9v/rOjjA0HmhJ+/6KAXrmYDCI= +cloud.google.com/go/artifactregistry v1.13.0/go.mod h1:uy/LNfoOIivepGhooAUpL1i30Hgee3Cu0l4VTWHUC08= +cloud.google.com/go/artifactregistry v1.14.1/go.mod h1:nxVdG19jTaSTu7yA7+VbWL346r3rIdkZ142BSQqhn5E= +cloud.google.com/go/artifactregistry v1.14.2/go.mod h1:Xk+QbsKEb0ElmyeMfdHAey41B+qBq3q5R5f5xD4XT3U= +cloud.google.com/go/artifactregistry v1.14.3/go.mod h1:A2/E9GXnsyXl7GUvQ/2CjHA+mVRoWAXC0brg2os+kNI= +cloud.google.com/go/artifactregistry v1.14.4/go.mod h1:SJJcZTMv6ce0LDMUnihCN7WSrI+kBSFV0KIKo8S8aYU= +cloud.google.com/go/artifactregistry v1.14.6/go.mod h1:np9LSFotNWHcjnOgh8UVK0RFPCTUGbO0ve3384xyHfE= +cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o= +cloud.google.com/go/asset v1.7.0/go.mod h1:YbENsRK4+xTiL+Ofoj5Ckf+O17kJtgp3Y3nn4uzZz5s= +cloud.google.com/go/asset v1.8.0/go.mod h1:mUNGKhiqIdbr8X7KNayoYvyc4HbbFO9URsjbytpUaW0= +cloud.google.com/go/asset v1.9.0/go.mod h1:83MOE6jEJBMqFKadM9NLRcs80Gdw76qGuHn8m3h8oHQ= +cloud.google.com/go/asset v1.10.0/go.mod h1:pLz7uokL80qKhzKr4xXGvBQXnzHn5evJAEAtZiIb0wY= +cloud.google.com/go/asset v1.11.1/go.mod h1:fSwLhbRvC9p9CXQHJ3BgFeQNM4c9x10lqlrdEUYXlJo= +cloud.google.com/go/asset v1.12.0/go.mod h1:h9/sFOa4eDIyKmH6QMpm4eUK3pDojWnUhTgJlk762Hg= +cloud.google.com/go/asset v1.13.0/go.mod h1:WQAMyYek/b7NBpYq/K4KJWcRqzoalEsxz/t/dTk4THw= +cloud.google.com/go/asset v1.14.1/go.mod h1:4bEJ3dnHCqWCDbWJ/6Vn7GVI9LerSi7Rfdi03hd+WTQ= +cloud.google.com/go/asset v1.15.0/go.mod h1:tpKafV6mEut3+vN9ScGvCHXHj7FALFVta+okxFECHcg= +cloud.google.com/go/asset v1.15.1/go.mod h1:yX/amTvFWRpp5rcFq6XbCxzKT8RJUam1UoboE179jU4= +cloud.google.com/go/asset v1.15.2/go.mod h1:B6H5tclkXvXz7PD22qCA2TDxSVQfasa3iDlM89O2NXs= +cloud.google.com/go/asset v1.15.3/go.mod h1:yYLfUD4wL4X589A9tYrv4rFrba0QlDeag0CMcM5ggXU= +cloud.google.com/go/assuredworkloads v1.5.0/go.mod h1:n8HOZ6pff6re5KYfBXcFvSViQjDwxFkAkmUFffJRbbY= +cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMKymF9OP+QXWlKXUkXw= +cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVoYoxeLBoj4XkKYscNI= +cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo= +cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0= +cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E= +cloud.google.com/go/assuredworkloads v1.11.1/go.mod h1:+F04I52Pgn5nmPG36CWFtxmav6+7Q+c5QyJoL18Lry0= +cloud.google.com/go/assuredworkloads v1.11.2/go.mod h1:O1dfr+oZJMlE6mw0Bp0P1KZSlj5SghMBvTpZqIcUAW4= +cloud.google.com/go/assuredworkloads v1.11.3/go.mod h1:vEjfTKYyRUaIeA0bsGJceFV2JKpVRgyG2op3jfa59Zs= +cloud.google.com/go/assuredworkloads v1.11.4/go.mod h1:4pwwGNwy1RP0m+y12ef3Q/8PaiWrIDQ6nD2E8kvWI9U= +cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= +cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8= +cloud.google.com/go/automl v1.7.0/go.mod h1:RL9MYCCsJEOmt0Wf3z9uzG0a7adTT1fe+aObgSpkCt8= +cloud.google.com/go/automl v1.8.0/go.mod h1:xWx7G/aPEe/NP+qzYXktoBSDfjO+vnKMGgsApGJJquM= +cloud.google.com/go/automl v1.12.0/go.mod h1:tWDcHDp86aMIuHmyvjuKeeHEGq76lD7ZqfGLN6B0NuU= +cloud.google.com/go/automl v1.13.1/go.mod h1:1aowgAHWYZU27MybSCFiukPO7xnyawv7pt3zK4bheQE= +cloud.google.com/go/automl v1.13.2/go.mod h1:gNY/fUmDEN40sP8amAX3MaXkxcqPIn7F1UIIPZpy4Mg= +cloud.google.com/go/automl v1.13.3/go.mod h1:Y8KwvyAZFOsMAPqUCfNu1AyclbC6ivCUF/MTwORymyY= +cloud.google.com/go/automl v1.13.4/go.mod h1:ULqwX/OLZ4hBVfKQaMtxMSTlPx0GqGbWN8uA/1EqCP8= +cloud.google.com/go/baremetalsolution v0.3.0/go.mod h1:XOrocE+pvK1xFfleEnShBlNAXf+j5blPPxrhjKgnIFc= +cloud.google.com/go/baremetalsolution v0.4.0/go.mod h1:BymplhAadOO/eBa7KewQ0Ppg4A4Wplbn+PsFKRLo0uI= +cloud.google.com/go/baremetalsolution v0.5.0/go.mod h1:dXGxEkmR9BMwxhzBhV0AioD0ULBmuLZI8CdwalUxuss= +cloud.google.com/go/baremetalsolution v1.1.1/go.mod h1:D1AV6xwOksJMV4OSlWHtWuFNZZYujJknMAP4Qa27QIA= +cloud.google.com/go/baremetalsolution v1.2.0/go.mod h1:68wi9AwPYkEWIUT4SvSGS9UJwKzNpshjHsH4lzk8iOw= +cloud.google.com/go/baremetalsolution v1.2.1/go.mod h1:3qKpKIw12RPXStwQXcbhfxVj1dqQGEvcmA+SX/mUR88= +cloud.google.com/go/baremetalsolution v1.2.2/go.mod h1:O5V6Uu1vzVelYahKfwEWRMaS3AbCkeYHy3145s1FkhM= +cloud.google.com/go/baremetalsolution v1.2.3/go.mod h1:/UAQ5xG3faDdy180rCUv47e0jvpp3BFxT+Cl0PFjw5g= +cloud.google.com/go/batch v0.3.0/go.mod h1:TR18ZoAekj1GuirsUsR1ZTKN3FC/4UDnScjT8NXImFE= +cloud.google.com/go/batch v0.4.0/go.mod h1:WZkHnP43R/QCGQsZ+0JyG4i79ranE2u8xvjq/9+STPE= +cloud.google.com/go/batch v0.7.0/go.mod h1:vLZN95s6teRUqRQ4s3RLDsH8PvboqBK+rn1oevL159g= +cloud.google.com/go/batch v1.3.1/go.mod h1:VguXeQKXIYaeeIYbuozUmBR13AfL4SJP7IltNPS+A4A= +cloud.google.com/go/batch v1.4.1/go.mod h1:KdBmDD61K0ovcxoRHGrN6GmOBWeAOyCgKD0Mugx4Fkk= +cloud.google.com/go/batch v1.5.0/go.mod h1:KdBmDD61K0ovcxoRHGrN6GmOBWeAOyCgKD0Mugx4Fkk= +cloud.google.com/go/batch v1.5.1/go.mod h1:RpBuIYLkQu8+CWDk3dFD/t/jOCGuUpkpX+Y0n1Xccs8= +cloud.google.com/go/batch v1.6.1/go.mod h1:urdpD13zPe6YOK+6iZs/8/x2VBRofvblLpx0t57vM98= +cloud.google.com/go/batch v1.6.3/go.mod h1:J64gD4vsNSA2O5TtDB5AAux3nJ9iV8U3ilg3JDBYejU= +cloud.google.com/go/beyondcorp v0.2.0/go.mod h1:TB7Bd+EEtcw9PCPQhCJtJGjk/7TC6ckmnSFS+xwTfm4= +cloud.google.com/go/beyondcorp v0.3.0/go.mod h1:E5U5lcrcXMsCuoDNyGrpyTm/hn7ne941Jz2vmksAxW8= +cloud.google.com/go/beyondcorp v0.4.0/go.mod h1:3ApA0mbhHx6YImmuubf5pyW8srKnCEPON32/5hj+RmM= +cloud.google.com/go/beyondcorp v0.5.0/go.mod h1:uFqj9X+dSfrheVp7ssLTaRHd2EHqSL4QZmH4e8WXGGU= +cloud.google.com/go/beyondcorp v0.6.1/go.mod h1:YhxDWw946SCbmcWo3fAhw3V4XZMSpQ/VYfcKGAEU8/4= +cloud.google.com/go/beyondcorp v1.0.0/go.mod h1:YhxDWw946SCbmcWo3fAhw3V4XZMSpQ/VYfcKGAEU8/4= +cloud.google.com/go/beyondcorp v1.0.1/go.mod h1:zl/rWWAFVeV+kx+X2Javly7o1EIQThU4WlkynffL/lk= +cloud.google.com/go/beyondcorp v1.0.2/go.mod h1:m8cpG7caD+5su+1eZr+TSvF6r21NdLJk4f9u4SP2Ntc= +cloud.google.com/go/beyondcorp v1.0.3/go.mod h1:HcBvnEd7eYr+HGDd5ZbuVmBYX019C6CEXBonXbCVwJo= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/bigquery v1.42.0/go.mod h1:8dRTJxhtG+vwBKzE5OseQn/hiydoQN3EedCaOdYmxRA= +cloud.google.com/go/bigquery v1.43.0/go.mod h1:ZMQcXHsl+xmU1z36G2jNGZmKp9zNY5BUua5wDgmNCfw= +cloud.google.com/go/bigquery v1.44.0/go.mod h1:0Y33VqXTEsbamHJvJHdFmtqHvMIY28aK1+dFsvaChGc= +cloud.google.com/go/bigquery v1.47.0/go.mod h1:sA9XOgy0A8vQK9+MWhEQTY6Tix87M/ZurWFIxmF9I/E= +cloud.google.com/go/bigquery v1.48.0/go.mod h1:QAwSz+ipNgfL5jxiaK7weyOhzdoAy1zFm0Nf1fysJac= +cloud.google.com/go/bigquery v1.49.0/go.mod h1:Sv8hMmTFFYBlt/ftw2uN6dFdQPzBlREY9yBh7Oy7/4Q= +cloud.google.com/go/bigquery v1.50.0/go.mod h1:YrleYEh2pSEbgTBZYMJ5SuSr0ML3ypjRB1zgf7pvQLU= +cloud.google.com/go/bigquery v1.52.0/go.mod h1:3b/iXjRQGU4nKa87cXeg6/gogLjO8C6PmuM8i5Bi/u4= +cloud.google.com/go/bigquery v1.53.0/go.mod h1:3b/iXjRQGU4nKa87cXeg6/gogLjO8C6PmuM8i5Bi/u4= +cloud.google.com/go/bigquery v1.55.0/go.mod h1:9Y5I3PN9kQWuid6183JFhOGOW3GcirA5LpsKCUn+2ec= +cloud.google.com/go/bigquery v1.56.0/go.mod h1:KDcsploXTEY7XT3fDQzMUZlpQLHzE4itubHrnmhUrZA= +cloud.google.com/go/bigquery v1.57.1/go.mod h1:iYzC0tGVWt1jqSzBHqCr3lrRn0u13E8e+AqowBsDgug= +cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY= +cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s= +cloud.google.com/go/billing v1.6.0/go.mod h1:WoXzguj+BeHXPbKfNWkqVtDdzORazmCjraY+vrxcyvI= +cloud.google.com/go/billing v1.7.0/go.mod h1:q457N3Hbj9lYwwRbnlD7vUpyjq6u5U1RAOArInEiD5Y= +cloud.google.com/go/billing v1.12.0/go.mod h1:yKrZio/eu+okO/2McZEbch17O5CB5NpZhhXG6Z766ss= +cloud.google.com/go/billing v1.13.0/go.mod h1:7kB2W9Xf98hP9Sr12KfECgfGclsH3CQR0R08tnRlRbc= +cloud.google.com/go/billing v1.16.0/go.mod h1:y8vx09JSSJG02k5QxbycNRrN7FGZB6F3CAcgum7jvGA= +cloud.google.com/go/billing v1.17.0/go.mod h1:Z9+vZXEq+HwH7bhJkyI4OQcR6TSbeMrjlpEjO2vzY64= +cloud.google.com/go/billing v1.17.1/go.mod h1:Z9+vZXEq+HwH7bhJkyI4OQcR6TSbeMrjlpEjO2vzY64= +cloud.google.com/go/billing v1.17.2/go.mod h1:u/AdV/3wr3xoRBk5xvUzYMS1IawOAPwQMuHgHMdljDg= +cloud.google.com/go/billing v1.17.3/go.mod h1:z83AkoZ7mZwBGT3yTnt6rSGI1OOsHSIi6a5M3mJ8NaU= +cloud.google.com/go/billing v1.17.4/go.mod h1:5DOYQStCxquGprqfuid/7haD7th74kyMBHkjO/OvDtk= +cloud.google.com/go/binaryauthorization v1.1.0/go.mod h1:xwnoWu3Y84jbuHa0zd526MJYmtnVXn0syOjaJgy4+dM= +cloud.google.com/go/binaryauthorization v1.2.0/go.mod h1:86WKkJHtRcv5ViNABtYMhhNWRrD1Vpi//uKEy7aYEfI= +cloud.google.com/go/binaryauthorization v1.3.0/go.mod h1:lRZbKgjDIIQvzYQS1p99A7/U1JqvqeZg0wiI5tp6tg0= +cloud.google.com/go/binaryauthorization v1.4.0/go.mod h1:tsSPQrBd77VLplV70GUhBf/Zm3FsKmgSqgm4UmiDItk= +cloud.google.com/go/binaryauthorization v1.5.0/go.mod h1:OSe4OU1nN/VswXKRBmciKpo9LulY41gch5c68htf3/Q= +cloud.google.com/go/binaryauthorization v1.6.1/go.mod h1:TKt4pa8xhowwffiBmbrbcxijJRZED4zrqnwZ1lKH51U= +cloud.google.com/go/binaryauthorization v1.7.0/go.mod h1:Zn+S6QqTMn6odcMU1zDZCJxPjU2tZPV1oDl45lWY154= +cloud.google.com/go/binaryauthorization v1.7.1/go.mod h1:GTAyfRWYgcbsP3NJogpV3yeunbUIjx2T9xVeYovtURE= +cloud.google.com/go/binaryauthorization v1.7.2/go.mod h1:kFK5fQtxEp97m92ziy+hbu+uKocka1qRRL8MVJIgjv0= +cloud.google.com/go/binaryauthorization v1.7.3/go.mod h1:VQ/nUGRKhrStlGr+8GMS8f6/vznYLkdK5vaKfdCIpvU= +cloud.google.com/go/certificatemanager v1.3.0/go.mod h1:n6twGDvcUBFu9uBgt4eYvvf3sQ6My8jADcOVwHmzadg= +cloud.google.com/go/certificatemanager v1.4.0/go.mod h1:vowpercVFyqs8ABSmrdV+GiFf2H/ch3KyudYQEMM590= +cloud.google.com/go/certificatemanager v1.6.0/go.mod h1:3Hh64rCKjRAX8dXgRAyOcY5vQ/fE1sh8o+Mdd6KPgY8= +cloud.google.com/go/certificatemanager v1.7.1/go.mod h1:iW8J3nG6SaRYImIa+wXQ0g8IgoofDFRp5UMzaNk1UqI= +cloud.google.com/go/certificatemanager v1.7.2/go.mod h1:15SYTDQMd00kdoW0+XY5d9e+JbOPjp24AvF48D8BbcQ= +cloud.google.com/go/certificatemanager v1.7.3/go.mod h1:T/sZYuC30PTag0TLo28VedIRIj1KPGcOQzjWAptHa00= +cloud.google.com/go/certificatemanager v1.7.4/go.mod h1:FHAylPe/6IIKuaRmHbjbdLhGhVQ+CWHSD5Jq0k4+cCE= +cloud.google.com/go/channel v1.8.0/go.mod h1:W5SwCXDJsq/rg3tn3oG0LOxpAo6IMxNa09ngphpSlnk= +cloud.google.com/go/channel v1.9.0/go.mod h1:jcu05W0my9Vx4mt3/rEHpfxc9eKi9XwsdDL8yBMbKUk= +cloud.google.com/go/channel v1.11.0/go.mod h1:IdtI0uWGqhEeatSB62VOoJ8FSUhJ9/+iGkJVqp74CGE= +cloud.google.com/go/channel v1.12.0/go.mod h1:VkxCGKASi4Cq7TbXxlaBezonAYpp1GCnKMY6tnMQnLU= +cloud.google.com/go/channel v1.16.0/go.mod h1:eN/q1PFSl5gyu0dYdmxNXscY/4Fi7ABmeHCJNf/oHmc= +cloud.google.com/go/channel v1.17.0/go.mod h1:RpbhJsGi/lXWAUM1eF4IbQGbsfVlg2o8Iiy2/YLfVT0= +cloud.google.com/go/channel v1.17.1/go.mod h1:xqfzcOZAcP4b/hUDH0GkGg1Sd5to6di1HOJn/pi5uBQ= +cloud.google.com/go/channel v1.17.2/go.mod h1:aT2LhnftnyfQceFql5I/mP8mIbiiJS4lWqgXA815zMk= +cloud.google.com/go/channel v1.17.3/go.mod h1:QcEBuZLGGrUMm7kNj9IbU1ZfmJq2apotsV83hbxX7eE= +cloud.google.com/go/cloudbuild v1.3.0/go.mod h1:WequR4ULxlqvMsjDEEEFnOG5ZSRSgWOywXYDb1vPE6U= +cloud.google.com/go/cloudbuild v1.4.0/go.mod h1:5Qwa40LHiOXmz3386FrjrYM93rM/hdRr7b53sySrTqA= +cloud.google.com/go/cloudbuild v1.6.0/go.mod h1:UIbc/w9QCbH12xX+ezUsgblrWv+Cv4Tw83GiSMHOn9M= +cloud.google.com/go/cloudbuild v1.7.0/go.mod h1:zb5tWh2XI6lR9zQmsm1VRA+7OCuve5d8S+zJUul8KTg= +cloud.google.com/go/cloudbuild v1.9.0/go.mod h1:qK1d7s4QlO0VwfYn5YuClDGg2hfmLZEb4wQGAbIgL1s= +cloud.google.com/go/cloudbuild v1.10.1/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU= +cloud.google.com/go/cloudbuild v1.13.0/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU= +cloud.google.com/go/cloudbuild v1.14.0/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU= +cloud.google.com/go/cloudbuild v1.14.1/go.mod h1:K7wGc/3zfvmYWOWwYTgF/d/UVJhS4pu+HAy7PL7mCsU= +cloud.google.com/go/cloudbuild v1.14.2/go.mod h1:Bn6RO0mBYk8Vlrt+8NLrru7WXlQ9/RDWz2uo5KG1/sg= +cloud.google.com/go/cloudbuild v1.14.3/go.mod h1:eIXYWmRt3UtggLnFGx4JvXcMj4kShhVzGndL1LwleEM= +cloud.google.com/go/clouddms v1.3.0/go.mod h1:oK6XsCDdW4Ib3jCCBugx+gVjevp2TMXFtgxvPSee3OM= +cloud.google.com/go/clouddms v1.4.0/go.mod h1:Eh7sUGCC+aKry14O1NRljhjyrr0NFC0G2cjwX0cByRk= +cloud.google.com/go/clouddms v1.5.0/go.mod h1:QSxQnhikCLUw13iAbffF2CZxAER3xDGNHjsTAkQJcQA= +cloud.google.com/go/clouddms v1.6.1/go.mod h1:Ygo1vL52Ov4TBZQquhz5fiw2CQ58gvu+PlS6PVXCpZI= +cloud.google.com/go/clouddms v1.7.0/go.mod h1:MW1dC6SOtI/tPNCciTsXtsGNEM0i0OccykPvv3hiYeM= +cloud.google.com/go/clouddms v1.7.1/go.mod h1:o4SR8U95+P7gZ/TX+YbJxehOCsM+fe6/brlrFquiszk= +cloud.google.com/go/clouddms v1.7.2/go.mod h1:Rk32TmWmHo64XqDvW7jgkFQet1tUKNVzs7oajtJT3jU= +cloud.google.com/go/clouddms v1.7.3/go.mod h1:fkN2HQQNUYInAU3NQ3vRLkV2iWs8lIdmBKOx4nrL6Hc= +cloud.google.com/go/cloudsqlconn v1.4.3/go.mod h1:QL3tuStVOO70txb3rs4G8j5uMfo5ztZii8K3oGD3VYA= +cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY= +cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI= +cloud.google.com/go/cloudtasks v1.7.0/go.mod h1:ImsfdYWwlWNJbdgPIIGJWC+gemEGTBK/SunNQQNCAb4= +cloud.google.com/go/cloudtasks v1.8.0/go.mod h1:gQXUIwCSOI4yPVK7DgTVFiiP0ZW/eQkydWzwVMdHxrI= +cloud.google.com/go/cloudtasks v1.9.0/go.mod h1:w+EyLsVkLWHcOaqNEyvcKAsWp9p29dL6uL9Nst1cI7Y= +cloud.google.com/go/cloudtasks v1.10.0/go.mod h1:NDSoTLkZ3+vExFEWu2UJV1arUyzVDAiZtdWcsUyNwBs= +cloud.google.com/go/cloudtasks v1.11.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8oHwpmFsKspEvM= +cloud.google.com/go/cloudtasks v1.12.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8oHwpmFsKspEvM= +cloud.google.com/go/cloudtasks v1.12.2/go.mod h1:A7nYkjNlW2gUoROg1kvJrQGhJP/38UaWwsnuBDOBVUk= +cloud.google.com/go/cloudtasks v1.12.3/go.mod h1:GPVXhIOSGEaR+3xT4Fp72ScI+HjHffSS4B8+BaBB5Ys= +cloud.google.com/go/cloudtasks v1.12.4/go.mod h1:BEPu0Gtt2dU6FxZHNqqNdGqIG86qyWKBPGnsb7udGY0= +cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= +cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= +cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= +cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= +cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= +cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= +cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= +cloud.google.com/go/compute v1.12.0/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= +cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= +cloud.google.com/go/compute v1.13.0/go.mod h1:5aPTS0cUNMIc1CE546K+Th6weJUNQErARyZtRXDJ8GE= +cloud.google.com/go/compute v1.14.0/go.mod h1:YfLtxrj9sU4Yxv+sXzZkyPjEyPBZfXHUvjxega5vAdo= +cloud.google.com/go/compute v1.15.1/go.mod h1:bjjoF/NtFUrkD/urWfdHaKuOPDR5nWIs63rR+SXhcpA= +cloud.google.com/go/compute v1.18.0/go.mod h1:1X7yHxec2Ga+Ss6jPyjxRxpu2uu7PLgsOVXvgU0yacs= +cloud.google.com/go/compute v1.19.0/go.mod h1:rikpw2y+UMidAe9tISo04EHNOIf42RLYF/q8Bs93scU= +cloud.google.com/go/compute v1.19.1/go.mod h1:6ylj3a05WF8leseCdIf77NK0g1ey+nj5IKd5/kvShxE= +cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI= +cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute v1.21.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute v1.23.1/go.mod h1:CqB3xpmPKKt3OJpW2ndFIXnA9A4xAy/F3Xp1ixncW78= +cloud.google.com/go/compute v1.23.2/go.mod h1:JJ0atRC0J/oWYiiVBmsSsrRnh92DhZPG4hFDcR04Rns= +cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk= +cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= +cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZEXYonfTBHHFPO/4UU= +cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= +cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY= +cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck= +cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w= +cloud.google.com/go/contactcenterinsights v1.9.1/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM= +cloud.google.com/go/contactcenterinsights v1.10.0/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM= +cloud.google.com/go/contactcenterinsights v1.11.0/go.mod h1:hutBdImE4XNZ1NV4vbPJKSFOnQruhC5Lj9bZqWMTKiU= +cloud.google.com/go/contactcenterinsights v1.11.1/go.mod h1:FeNP3Kg8iteKM80lMwSk3zZZKVxr+PGnAId6soKuXwE= +cloud.google.com/go/contactcenterinsights v1.11.2/go.mod h1:A9PIR5ov5cRcd28KlDbmmXE8Aay+Gccer2h4wzkYFso= +cloud.google.com/go/contactcenterinsights v1.11.3/go.mod h1:HHX5wrz5LHVAwfI2smIotQG9x8Qd6gYilaHcLLLmNis= +cloud.google.com/go/container v1.6.0/go.mod h1:Xazp7GjJSeUYo688S+6J5V+n/t+G5sKBTFkKNudGRxg= +cloud.google.com/go/container v1.7.0/go.mod h1:Dp5AHtmothHGX3DwwIHPgq45Y8KmNsgN3amoYfxVkLo= +cloud.google.com/go/container v1.13.1/go.mod h1:6wgbMPeQRw9rSnKBCAJXnds3Pzj03C4JHamr8asWKy4= +cloud.google.com/go/container v1.14.0/go.mod h1:3AoJMPhHfLDxLvrlVWaK57IXzaPnLaZq63WX59aQBfM= +cloud.google.com/go/container v1.15.0/go.mod h1:ft+9S0WGjAyjDggg5S06DXj+fHJICWg8L7isCQe9pQA= +cloud.google.com/go/container v1.22.1/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4= +cloud.google.com/go/container v1.24.0/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4= +cloud.google.com/go/container v1.26.0/go.mod h1:YJCmRet6+6jnYYRS000T6k0D0xUXQgBSaJ7VwI8FBj4= +cloud.google.com/go/container v1.26.1/go.mod h1:5smONjPRUxeEpDG7bMKWfDL4sauswqEtnBK1/KKpR04= +cloud.google.com/go/container v1.26.2/go.mod h1:YlO84xCt5xupVbLaMY4s3XNE79MUJ+49VmkInr6HvF4= +cloud.google.com/go/container v1.27.1/go.mod h1:b1A1gJeTBXVLQ6GGw9/9M4FG94BEGsqJ5+t4d/3N7O4= +cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I= +cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4= +cloud.google.com/go/containeranalysis v0.7.0/go.mod h1:9aUL+/vZ55P2CXfuZjS4UjQ9AgXoSw8Ts6lemfmxBxI= +cloud.google.com/go/containeranalysis v0.9.0/go.mod h1:orbOANbwk5Ejoom+s+DUCTTJ7IBdBQJDcSylAx/on9s= +cloud.google.com/go/containeranalysis v0.10.1/go.mod h1:Ya2jiILITMY68ZLPaogjmOMNkwsDrWBSTyBubGXO7j0= +cloud.google.com/go/containeranalysis v0.11.0/go.mod h1:4n2e99ZwpGxpNcz+YsFT1dfOHPQFGcAC8FN2M2/ne/U= +cloud.google.com/go/containeranalysis v0.11.1/go.mod h1:rYlUOM7nem1OJMKwE1SadufX0JP3wnXj844EtZAwWLY= +cloud.google.com/go/containeranalysis v0.11.2/go.mod h1:xibioGBC1MD2j4reTyV1xY1/MvKaz+fyM9ENWhmIeP8= +cloud.google.com/go/containeranalysis v0.11.3/go.mod h1:kMeST7yWFQMGjiG9K7Eov+fPNQcGhb8mXj/UcTiWw9U= +cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0= +cloud.google.com/go/datacatalog v1.5.0/go.mod h1:M7GPLNQeLfWqeIm3iuiruhPzkt65+Bx8dAKvScX8jvs= +cloud.google.com/go/datacatalog v1.6.0/go.mod h1:+aEyF8JKg+uXcIdAmmaMUmZ3q1b/lKLtXCmXdnc0lbc= +cloud.google.com/go/datacatalog v1.7.0/go.mod h1:9mEl4AuDYWw81UGc41HonIHH7/sn52H0/tc8f8ZbZIE= +cloud.google.com/go/datacatalog v1.8.0/go.mod h1:KYuoVOv9BM8EYz/4eMFxrr4DUKhGIOXxZoKYF5wdISM= +cloud.google.com/go/datacatalog v1.8.1/go.mod h1:RJ58z4rMp3gvETA465Vg+ag8BGgBdnRPEMMSTr5Uv+M= +cloud.google.com/go/datacatalog v1.12.0/go.mod h1:CWae8rFkfp6LzLumKOnmVh4+Zle4A3NXLzVJ1d1mRm0= +cloud.google.com/go/datacatalog v1.13.0/go.mod h1:E4Rj9a5ZtAxcQJlEBTLgMTphfP11/lNaAshpoBgemX8= +cloud.google.com/go/datacatalog v1.14.0/go.mod h1:h0PrGtlihoutNMp/uvwhawLQ9+c63Kz65UFqh49Yo+E= +cloud.google.com/go/datacatalog v1.14.1/go.mod h1:d2CevwTG4yedZilwe+v3E3ZBDRMobQfSG/a6cCCN5R4= +cloud.google.com/go/datacatalog v1.16.0/go.mod h1:d2CevwTG4yedZilwe+v3E3ZBDRMobQfSG/a6cCCN5R4= +cloud.google.com/go/datacatalog v1.17.1/go.mod h1:nCSYFHgtxh2MiEktWIz71s/X+7ds/UT9kp0PC7waCzE= +cloud.google.com/go/datacatalog v1.18.0/go.mod h1:nCSYFHgtxh2MiEktWIz71s/X+7ds/UT9kp0PC7waCzE= +cloud.google.com/go/datacatalog v1.18.1/go.mod h1:TzAWaz+ON1tkNr4MOcak8EBHX7wIRX/gZKM+yTVsv+A= +cloud.google.com/go/datacatalog v1.18.2/go.mod h1:SPVgWW2WEMuWHA+fHodYjmxPiMqcOiWfhc9OD5msigk= +cloud.google.com/go/datacatalog v1.18.3/go.mod h1:5FR6ZIF8RZrtml0VUao22FxhdjkoG+a0866rEnObryM= +cloud.google.com/go/dataflow v0.6.0/go.mod h1:9QwV89cGoxjjSR9/r7eFDqqjtvbKxAK2BaYU6PVk9UM= +cloud.google.com/go/dataflow v0.7.0/go.mod h1:PX526vb4ijFMesO1o202EaUmouZKBpjHsTlCtB4parQ= +cloud.google.com/go/dataflow v0.8.0/go.mod h1:Rcf5YgTKPtQyYz8bLYhFoIV/vP39eL7fWNcSOyFfLJE= +cloud.google.com/go/dataflow v0.9.1/go.mod h1:Wp7s32QjYuQDWqJPFFlnBKhkAtiFpMTdg00qGbnIHVw= +cloud.google.com/go/dataflow v0.9.2/go.mod h1:vBfdBZ/ejlTaYIGB3zB4T08UshH70vbtZeMD+urnUSo= +cloud.google.com/go/dataflow v0.9.3/go.mod h1:HI4kMVjcHGTs3jTHW/kv3501YW+eloiJSLxkJa/vqFE= +cloud.google.com/go/dataflow v0.9.4/go.mod h1:4G8vAkHYCSzU8b/kmsoR2lWyHJD85oMJPHMtan40K8w= +cloud.google.com/go/dataform v0.3.0/go.mod h1:cj8uNliRlHpa6L3yVhDOBrUXH+BPAO1+KFMQQNSThKo= +cloud.google.com/go/dataform v0.4.0/go.mod h1:fwV6Y4Ty2yIFL89huYlEkwUPtS7YZinZbzzj5S9FzCE= +cloud.google.com/go/dataform v0.5.0/go.mod h1:GFUYRe8IBa2hcomWplodVmUx/iTL0FrsauObOM3Ipr0= +cloud.google.com/go/dataform v0.6.0/go.mod h1:QPflImQy33e29VuapFdf19oPbE4aYTJxr31OAPV+ulA= +cloud.google.com/go/dataform v0.7.0/go.mod h1:7NulqnVozfHvWUBpMDfKMUESr+85aJsC/2O0o3jWPDE= +cloud.google.com/go/dataform v0.8.1/go.mod h1:3BhPSiw8xmppbgzeBbmDvmSWlwouuJkXsXsb8UBih9M= +cloud.google.com/go/dataform v0.8.2/go.mod h1:X9RIqDs6NbGPLR80tnYoPNiO1w0wenKTb8PxxlhTMKM= +cloud.google.com/go/dataform v0.8.3/go.mod h1:8nI/tvv5Fso0drO3pEjtowz58lodx8MVkdV2q0aPlqg= +cloud.google.com/go/dataform v0.9.1/go.mod h1:pWTg+zGQ7i16pyn0bS1ruqIE91SdL2FDMvEYu/8oQxs= +cloud.google.com/go/datafusion v1.4.0/go.mod h1:1Zb6VN+W6ALo85cXnM1IKiPw+yQMKMhB9TsTSRDo/38= +cloud.google.com/go/datafusion v1.5.0/go.mod h1:Kz+l1FGHB0J+4XF2fud96WMmRiq/wj8N9u007vyXZ2w= +cloud.google.com/go/datafusion v1.6.0/go.mod h1:WBsMF8F1RhSXvVM8rCV3AeyWVxcC2xY6vith3iw3S+8= +cloud.google.com/go/datafusion v1.7.1/go.mod h1:KpoTBbFmoToDExJUso/fcCiguGDk7MEzOWXUsJo0wsI= +cloud.google.com/go/datafusion v1.7.2/go.mod h1:62K2NEC6DRlpNmI43WHMWf9Vg/YvN6QVi8EVwifElI0= +cloud.google.com/go/datafusion v1.7.3/go.mod h1:eoLt1uFXKGBq48jy9LZ+Is8EAVLnmn50lNncLzwYokE= +cloud.google.com/go/datafusion v1.7.4/go.mod h1:BBs78WTOLYkT4GVZIXQCZT3GFpkpDN4aBY4NDX/jVlM= +cloud.google.com/go/datalabeling v0.5.0/go.mod h1:TGcJ0G2NzcsXSE/97yWjIZO0bXj0KbVlINXMG9ud42I= +cloud.google.com/go/datalabeling v0.6.0/go.mod h1:WqdISuk/+WIGeMkpw/1q7bK/tFEZxsrFJOJdY2bXvTQ= +cloud.google.com/go/datalabeling v0.7.0/go.mod h1:WPQb1y08RJbmpM3ww0CSUAGweL0SxByuW2E+FU+wXcM= +cloud.google.com/go/datalabeling v0.8.1/go.mod h1:XS62LBSVPbYR54GfYQsPXZjTW8UxCK2fkDciSrpRFdY= +cloud.google.com/go/datalabeling v0.8.2/go.mod h1:cyDvGHuJWu9U/cLDA7d8sb9a0tWLEletStu2sTmg3BE= +cloud.google.com/go/datalabeling v0.8.3/go.mod h1:tvPhpGyS/V7lqjmb3V0TaDdGvhzgR1JoW7G2bpi2UTI= +cloud.google.com/go/datalabeling v0.8.4/go.mod h1:Z1z3E6LHtffBGrNUkKwbwbDxTiXEApLzIgmymj8A3S8= +cloud.google.com/go/dataplex v1.3.0/go.mod h1:hQuRtDg+fCiFgC8j0zV222HvzFQdRd+SVX8gdmFcZzA= +cloud.google.com/go/dataplex v1.4.0/go.mod h1:X51GfLXEMVJ6UN47ESVqvlsRplbLhcsAt0kZCCKsU0A= +cloud.google.com/go/dataplex v1.5.2/go.mod h1:cVMgQHsmfRoI5KFYq4JtIBEUbYwc3c7tXmIDhRmNNVQ= +cloud.google.com/go/dataplex v1.6.0/go.mod h1:bMsomC/aEJOSpHXdFKFGQ1b0TDPIeL28nJObeO1ppRs= +cloud.google.com/go/dataplex v1.8.1/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE= +cloud.google.com/go/dataplex v1.9.0/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE= +cloud.google.com/go/dataplex v1.9.1/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE= +cloud.google.com/go/dataplex v1.10.1/go.mod h1:1MzmBv8FvjYfc7vDdxhnLFNskikkB+3vl475/XdCDhs= +cloud.google.com/go/dataplex v1.10.2/go.mod h1:xdC8URdTrCrZMW6keY779ZT1cTOfV8KEPNsw+LTRT1Y= +cloud.google.com/go/dataplex v1.11.1/go.mod h1:mHJYQQ2VEJHsyoC0OdNyy988DvEbPhqFs5OOLffLX0c= +cloud.google.com/go/dataproc v1.7.0/go.mod h1:CKAlMjII9H90RXaMpSxQ8EU6dQx6iAYNPcYPOkSbi8s= +cloud.google.com/go/dataproc v1.8.0/go.mod h1:5OW+zNAH0pMpw14JVrPONsxMQYMBqJuzORhIBfBn9uI= +cloud.google.com/go/dataproc v1.12.0/go.mod h1:zrF3aX0uV3ikkMz6z4uBbIKyhRITnxvr4i3IjKsKrw4= +cloud.google.com/go/dataproc/v2 v2.0.1/go.mod h1:7Ez3KRHdFGcfY7GcevBbvozX+zyWGcwLJvvAMwCaoZ4= +cloud.google.com/go/dataproc/v2 v2.2.0/go.mod h1:lZR7AQtwZPvmINx5J87DSOOpTfof9LVZju6/Qo4lmcY= +cloud.google.com/go/dataproc/v2 v2.2.1/go.mod h1:QdAJLaBjh+l4PVlVZcmrmhGccosY/omC1qwfQ61Zv/o= +cloud.google.com/go/dataproc/v2 v2.2.2/go.mod h1:aocQywVmQVF4i8CL740rNI/ZRpsaaC1Wh2++BJ7HEJ4= +cloud.google.com/go/dataproc/v2 v2.2.3/go.mod h1:G5R6GBc9r36SXv/RtZIVfB8SipI+xVn0bX5SxUzVYbY= +cloud.google.com/go/dataqna v0.5.0/go.mod h1:90Hyk596ft3zUQ8NkFfvICSIfHFh1Bc7C4cK3vbhkeo= +cloud.google.com/go/dataqna v0.6.0/go.mod h1:1lqNpM7rqNLVgWBJyk5NF6Uen2PHym0jtVJonplVsDA= +cloud.google.com/go/dataqna v0.7.0/go.mod h1:Lx9OcIIeqCrw1a6KdO3/5KMP1wAmTc0slZWwP12Qq3c= +cloud.google.com/go/dataqna v0.8.1/go.mod h1:zxZM0Bl6liMePWsHA8RMGAfmTG34vJMapbHAxQ5+WA8= +cloud.google.com/go/dataqna v0.8.2/go.mod h1:KNEqgx8TTmUipnQsScOoDpq/VlXVptUqVMZnt30WAPs= +cloud.google.com/go/dataqna v0.8.3/go.mod h1:wXNBW2uvc9e7Gl5k8adyAMnLush1KVV6lZUhB+rqNu4= +cloud.google.com/go/dataqna v0.8.4/go.mod h1:mySRKjKg5Lz784P6sCov3p1QD+RZQONRMRjzGNcFd0c= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/datastore v1.10.0/go.mod h1:PC5UzAmDEkAmkfaknstTYbNpgE49HAgW2J1gcgUfmdM= +cloud.google.com/go/datastore v1.11.0/go.mod h1:TvGxBIHCS50u8jzG+AW/ppf87v1of8nwzFNgEZU1D3c= +cloud.google.com/go/datastore v1.12.0/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70= +cloud.google.com/go/datastore v1.12.1/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70= +cloud.google.com/go/datastore v1.13.0/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70= +cloud.google.com/go/datastore v1.14.0/go.mod h1:GAeStMBIt9bPS7jMJA85kgkpsMkvseWWXiaHya9Jes8= +cloud.google.com/go/datastore v1.15.0/go.mod h1:GAeStMBIt9bPS7jMJA85kgkpsMkvseWWXiaHya9Jes8= +cloud.google.com/go/datastream v1.2.0/go.mod h1:i/uTP8/fZwgATHS/XFu0TcNUhuA0twZxxQ3EyCUQMwo= +cloud.google.com/go/datastream v1.3.0/go.mod h1:cqlOX8xlyYF/uxhiKn6Hbv6WjwPPuI9W2M9SAXwaLLQ= +cloud.google.com/go/datastream v1.4.0/go.mod h1:h9dpzScPhDTs5noEMQVWP8Wx8AFBRyS0s8KWPx/9r0g= +cloud.google.com/go/datastream v1.5.0/go.mod h1:6TZMMNPwjUqZHBKPQ1wwXpb0d5VDVPl2/XoS5yi88q4= +cloud.google.com/go/datastream v1.6.0/go.mod h1:6LQSuswqLa7S4rPAOZFVjHIG3wJIjZcZrw8JDEDJuIs= +cloud.google.com/go/datastream v1.7.0/go.mod h1:uxVRMm2elUSPuh65IbZpzJNMbuzkcvu5CjMqVIUHrww= +cloud.google.com/go/datastream v1.9.1/go.mod h1:hqnmr8kdUBmrnk65k5wNRoHSCYksvpdZIcZIEl8h43Q= +cloud.google.com/go/datastream v1.10.0/go.mod h1:hqnmr8kdUBmrnk65k5wNRoHSCYksvpdZIcZIEl8h43Q= +cloud.google.com/go/datastream v1.10.1/go.mod h1:7ngSYwnw95YFyTd5tOGBxHlOZiL+OtpjheqU7t2/s/c= +cloud.google.com/go/datastream v1.10.2/go.mod h1:W42TFgKAs/om6x/CdXX5E4oiAsKlH+e8MTGy81zdYt0= +cloud.google.com/go/datastream v1.10.3/go.mod h1:YR0USzgjhqA/Id0Ycu1VvZe8hEWwrkjuXrGbzeDOSEA= +cloud.google.com/go/deploy v1.4.0/go.mod h1:5Xghikd4VrmMLNaF6FiRFDlHb59VM59YoDQnOUdsH/c= +cloud.google.com/go/deploy v1.5.0/go.mod h1:ffgdD0B89tToyW/U/D2eL0jN2+IEV/3EMuXHA0l4r+s= +cloud.google.com/go/deploy v1.6.0/go.mod h1:f9PTHehG/DjCom3QH0cntOVRm93uGBDt2vKzAPwpXQI= +cloud.google.com/go/deploy v1.8.0/go.mod h1:z3myEJnA/2wnB4sgjqdMfgxCA0EqC3RBTNcVPs93mtQ= +cloud.google.com/go/deploy v1.11.0/go.mod h1:tKuSUV5pXbn67KiubiUNUejqLs4f5cxxiCNCeyl0F2g= +cloud.google.com/go/deploy v1.13.0/go.mod h1:tKuSUV5pXbn67KiubiUNUejqLs4f5cxxiCNCeyl0F2g= +cloud.google.com/go/deploy v1.13.1/go.mod h1:8jeadyLkH9qu9xgO3hVWw8jVr29N1mnW42gRJT8GY6g= +cloud.google.com/go/deploy v1.14.1/go.mod h1:N8S0b+aIHSEeSr5ORVoC0+/mOPUysVt8ae4QkZYolAw= +cloud.google.com/go/deploy v1.14.2/go.mod h1:e5XOUI5D+YGldyLNZ21wbp9S8otJbBE4i88PtO9x/2g= +cloud.google.com/go/dialogflow v1.15.0/go.mod h1:HbHDWs33WOGJgn6rfzBW1Kv807BE3O1+xGbn59zZWI4= +cloud.google.com/go/dialogflow v1.16.1/go.mod h1:po6LlzGfK+smoSmTBnbkIZY2w8ffjz/RcGSS+sh1el0= +cloud.google.com/go/dialogflow v1.17.0/go.mod h1:YNP09C/kXA1aZdBgC/VtXX74G/TKn7XVCcVumTflA+8= +cloud.google.com/go/dialogflow v1.18.0/go.mod h1:trO7Zu5YdyEuR+BhSNOqJezyFQ3aUzz0njv7sMx/iek= +cloud.google.com/go/dialogflow v1.19.0/go.mod h1:JVmlG1TwykZDtxtTXujec4tQ+D8SBFMoosgy+6Gn0s0= +cloud.google.com/go/dialogflow v1.29.0/go.mod h1:b+2bzMe+k1s9V+F2jbJwpHPzrnIyHihAdRFMtn2WXuM= +cloud.google.com/go/dialogflow v1.31.0/go.mod h1:cuoUccuL1Z+HADhyIA7dci3N5zUssgpBJmCzI6fNRB4= +cloud.google.com/go/dialogflow v1.32.0/go.mod h1:jG9TRJl8CKrDhMEcvfcfFkkpp8ZhgPz3sBGmAUYJ2qE= +cloud.google.com/go/dialogflow v1.38.0/go.mod h1:L7jnH+JL2mtmdChzAIcXQHXMvQkE3U4hTaNltEuxXn4= +cloud.google.com/go/dialogflow v1.40.0/go.mod h1:L7jnH+JL2mtmdChzAIcXQHXMvQkE3U4hTaNltEuxXn4= +cloud.google.com/go/dialogflow v1.43.0/go.mod h1:pDUJdi4elL0MFmt1REMvFkdsUTYSHq+rTCS8wg0S3+M= +cloud.google.com/go/dialogflow v1.44.0/go.mod h1:pDUJdi4elL0MFmt1REMvFkdsUTYSHq+rTCS8wg0S3+M= +cloud.google.com/go/dialogflow v1.44.1/go.mod h1:n/h+/N2ouKOO+rbe/ZnI186xImpqvCVj2DdsWS/0EAk= +cloud.google.com/go/dialogflow v1.44.2/go.mod h1:QzFYndeJhpVPElnFkUXxdlptx0wPnBWLCBT9BvtC3/c= +cloud.google.com/go/dialogflow v1.44.3/go.mod h1:mHly4vU7cPXVweuB5R0zsYKPMzy240aQdAu06SqBbAQ= +cloud.google.com/go/dlp v1.6.0/go.mod h1:9eyB2xIhpU0sVwUixfBubDoRwP+GjeUoxxeueZmqvmM= +cloud.google.com/go/dlp v1.7.0/go.mod h1:68ak9vCiMBjbasxeVD17hVPxDEck+ExiHavX8kiHG+Q= +cloud.google.com/go/dlp v1.9.0/go.mod h1:qdgmqgTyReTz5/YNSSuueR8pl7hO0o9bQ39ZhtgkWp4= +cloud.google.com/go/dlp v1.10.1/go.mod h1:IM8BWz1iJd8njcNcG0+Kyd9OPnqnRNkDV8j42VT5KOI= +cloud.google.com/go/dlp v1.10.2/go.mod h1:ZbdKIhcnyhILgccwVDzkwqybthh7+MplGC3kZVZsIOQ= +cloud.google.com/go/dlp v1.10.3/go.mod h1:iUaTc/ln8I+QT6Ai5vmuwfw8fqTk2kaz0FvCwhLCom0= +cloud.google.com/go/dlp v1.11.1/go.mod h1:/PA2EnioBeXTL/0hInwgj0rfsQb3lpE3R8XUJxqUNKI= +cloud.google.com/go/documentai v1.7.0/go.mod h1:lJvftZB5NRiFSX4moiye1SMxHx0Bc3x1+p9e/RfXYiU= +cloud.google.com/go/documentai v1.8.0/go.mod h1:xGHNEB7CtsnySCNrCFdCyyMz44RhFEEX2Q7UD0c5IhU= +cloud.google.com/go/documentai v1.9.0/go.mod h1:FS5485S8R00U10GhgBC0aNGrJxBP8ZVpEeJ7PQDZd6k= +cloud.google.com/go/documentai v1.10.0/go.mod h1:vod47hKQIPeCfN2QS/jULIvQTugbmdc0ZvxxfQY1bg4= +cloud.google.com/go/documentai v1.16.0/go.mod h1:o0o0DLTEZ+YnJZ+J4wNfTxmDVyrkzFvttBXXtYRMHkM= +cloud.google.com/go/documentai v1.18.0/go.mod h1:F6CK6iUH8J81FehpskRmhLq/3VlwQvb7TvwOceQ2tbs= +cloud.google.com/go/documentai v1.20.0/go.mod h1:yJkInoMcK0qNAEdRnqY/D5asy73tnPe88I1YTZT+a8E= +cloud.google.com/go/documentai v1.22.0/go.mod h1:yJkInoMcK0qNAEdRnqY/D5asy73tnPe88I1YTZT+a8E= +cloud.google.com/go/documentai v1.22.1/go.mod h1:LKs22aDHbJv7ufXuPypzRO7rG3ALLJxzdCXDPutw4Qc= +cloud.google.com/go/documentai v1.23.0/go.mod h1:LKs22aDHbJv7ufXuPypzRO7rG3ALLJxzdCXDPutw4Qc= +cloud.google.com/go/documentai v1.23.2/go.mod h1:Q/wcRT+qnuXOpjAkvOV4A+IeQl04q2/ReT7SSbytLSo= +cloud.google.com/go/documentai v1.23.4/go.mod h1:4MYAaEMnADPN1LPN5xboDR5QVB6AgsaxgFdJhitlE2Y= +cloud.google.com/go/documentai v1.23.5/go.mod h1:ghzBsyVTiVdkfKaUCum/9bGBEyBjDO4GfooEcYKhN+g= +cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1wTxDeT4Y= +cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg= +cloud.google.com/go/domains v0.8.0/go.mod h1:M9i3MMDzGFXsydri9/vW+EWz9sWb4I6WyHqdlAk0idE= +cloud.google.com/go/domains v0.9.1/go.mod h1:aOp1c0MbejQQ2Pjf1iJvnVyT+z6R6s8pX66KaCSDYfE= +cloud.google.com/go/domains v0.9.2/go.mod h1:3YvXGYzZG1Temjbk7EyGCuGGiXHJwVNmwIf+E/cUp5I= +cloud.google.com/go/domains v0.9.3/go.mod h1:29k66YNDLDY9LCFKpGFeh6Nj9r62ZKm5EsUJxAl84KU= +cloud.google.com/go/domains v0.9.4/go.mod h1:27jmJGShuXYdUNjyDG0SodTfT5RwLi7xmH334Gvi3fY= +cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk= +cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT34NIuHIgKuP4s5w= +cloud.google.com/go/edgecontainer v0.3.0/go.mod h1:FLDpP4nykgwwIfcLt6zInhprzw0lEi2P1fjO6Ie0qbc= +cloud.google.com/go/edgecontainer v1.0.0/go.mod h1:cttArqZpBB2q58W/upSG++ooo6EsblxDIolxa3jSjbY= +cloud.google.com/go/edgecontainer v1.1.1/go.mod h1:O5bYcS//7MELQZs3+7mabRqoWQhXCzenBu0R8bz2rwk= +cloud.google.com/go/edgecontainer v1.1.2/go.mod h1:wQRjIzqxEs9e9wrtle4hQPSR1Y51kqN75dgF7UllZZ4= +cloud.google.com/go/edgecontainer v1.1.3/go.mod h1:Ll2DtIABzEfaxaVSbwj3QHFaOOovlDFiWVDu349jSsA= +cloud.google.com/go/edgecontainer v1.1.4/go.mod h1:AvFdVuZuVGdgaE5YvlL1faAoa1ndRR/5XhXZvPBHbsE= +cloud.google.com/go/errorreporting v0.3.0/go.mod h1:xsP2yaAp+OAW4OIm60An2bbLpqIhKXdWR/tawvl7QzU= +cloud.google.com/go/essentialcontacts v1.3.0/go.mod h1:r+OnHa5jfj90qIfZDO/VztSFqbQan7HV75p8sA+mdGI= +cloud.google.com/go/essentialcontacts v1.4.0/go.mod h1:8tRldvHYsmnBCHdFpvU+GL75oWiBKl80BiqlFh9tp+8= +cloud.google.com/go/essentialcontacts v1.5.0/go.mod h1:ay29Z4zODTuwliK7SnX8E86aUF2CTzdNtvv42niCX0M= +cloud.google.com/go/essentialcontacts v1.6.2/go.mod h1:T2tB6tX+TRak7i88Fb2N9Ok3PvY3UNbUsMag9/BARh4= +cloud.google.com/go/essentialcontacts v1.6.3/go.mod h1:yiPCD7f2TkP82oJEFXFTou8Jl8L6LBRPeBEkTaO0Ggo= +cloud.google.com/go/essentialcontacts v1.6.4/go.mod h1:iju5Vy3d9tJUg0PYMd1nHhjV7xoCXaOAVabrwLaPBEM= +cloud.google.com/go/essentialcontacts v1.6.5/go.mod h1:jjYbPzw0x+yglXC890l6ECJWdYeZ5dlYACTFL0U/VuM= +cloud.google.com/go/eventarc v1.7.0/go.mod h1:6ctpF3zTnaQCxUjHUdcfgcA1A2T309+omHZth7gDfmc= +cloud.google.com/go/eventarc v1.8.0/go.mod h1:imbzxkyAU4ubfsaKYdQg04WS1NvncblHEup4kvF+4gw= +cloud.google.com/go/eventarc v1.10.0/go.mod h1:u3R35tmZ9HvswGRBnF48IlYgYeBcPUCjkr4BTdem2Kw= +cloud.google.com/go/eventarc v1.11.0/go.mod h1:PyUjsUKPWoRBCHeOxZd/lbOOjahV41icXyUY5kSTvVY= +cloud.google.com/go/eventarc v1.12.1/go.mod h1:mAFCW6lukH5+IZjkvrEss+jmt2kOdYlN8aMx3sRJiAI= +cloud.google.com/go/eventarc v1.13.0/go.mod h1:mAFCW6lukH5+IZjkvrEss+jmt2kOdYlN8aMx3sRJiAI= +cloud.google.com/go/eventarc v1.13.1/go.mod h1:EqBxmGHFrruIara4FUQ3RHlgfCn7yo1HYsu2Hpt/C3Y= +cloud.google.com/go/eventarc v1.13.2/go.mod h1:X9A80ShVu19fb4e5sc/OLV7mpFUKZMwfJFeeWhcIObM= +cloud.google.com/go/eventarc v1.13.3/go.mod h1:RWH10IAZIRcj1s/vClXkBgMHwh59ts7hSWcqD3kaclg= +cloud.google.com/go/filestore v1.3.0/go.mod h1:+qbvHGvXU1HaKX2nD0WEPo92TP/8AQuCVEBXNY9z0+w= +cloud.google.com/go/filestore v1.4.0/go.mod h1:PaG5oDfo9r224f8OYXURtAsY+Fbyq/bLYoINEK8XQAI= +cloud.google.com/go/filestore v1.5.0/go.mod h1:FqBXDWBp4YLHqRnVGveOkHDf8svj9r5+mUDLupOWEDs= +cloud.google.com/go/filestore v1.6.0/go.mod h1:di5unNuss/qfZTw2U9nhFqo8/ZDSc466dre85Kydllg= +cloud.google.com/go/filestore v1.7.1/go.mod h1:y10jsorq40JJnjR/lQ8AfFbbcGlw3g+Dp8oN7i7FjV4= +cloud.google.com/go/filestore v1.7.2/go.mod h1:TYOlyJs25f/omgj+vY7/tIG/E7BX369triSPzE4LdgE= +cloud.google.com/go/filestore v1.7.3/go.mod h1:Qp8WaEERR3cSkxToxFPHh/b8AACkSut+4qlCjAmKTV0= +cloud.google.com/go/filestore v1.7.4/go.mod h1:S5JCxIbFjeBhWMTfIYH2Jx24J6BqjwpkkPl+nBA5DlI= +cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= +cloud.google.com/go/firestore v1.9.0/go.mod h1:HMkjKHNTtRyZNiMzu7YAsLr9K3X2udY2AMwDaMEQiiE= +cloud.google.com/go/firestore v1.11.0/go.mod h1:b38dKhgzlmNNGTNZZwe7ZRFEuRab1Hay3/DBsIGKKy4= +cloud.google.com/go/firestore v1.12.0/go.mod h1:b38dKhgzlmNNGTNZZwe7ZRFEuRab1Hay3/DBsIGKKy4= +cloud.google.com/go/firestore v1.13.0/go.mod h1:QojqqOh8IntInDUSTAh0c8ZsPYAr68Ma8c5DWOy8xb8= +cloud.google.com/go/firestore v1.14.0/go.mod h1:96MVaHLsEhbvkBEdZgfN+AS/GIkco1LRpH9Xp9YZfzQ= +cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk= +cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg= +cloud.google.com/go/functions v1.8.0/go.mod h1:RTZ4/HsQjIqIYP9a9YPbU+QFoQsAlYgrwOXJWHn1POY= +cloud.google.com/go/functions v1.9.0/go.mod h1:Y+Dz8yGguzO3PpIjhLTbnqV1CWmgQ5UwtlpzoyquQ08= +cloud.google.com/go/functions v1.10.0/go.mod h1:0D3hEOe3DbEvCXtYOZHQZmD+SzYsi1YbI7dGvHfldXw= +cloud.google.com/go/functions v1.12.0/go.mod h1:AXWGrF3e2C/5ehvwYo/GH6O5s09tOPksiKhz+hH8WkA= +cloud.google.com/go/functions v1.13.0/go.mod h1:EU4O007sQm6Ef/PwRsI8N2umygGqPBS/IZQKBQBcJ3c= +cloud.google.com/go/functions v1.15.1/go.mod h1:P5yNWUTkyU+LvW/S9O6V+V423VZooALQlqoXdoPz5AE= +cloud.google.com/go/functions v1.15.2/go.mod h1:CHAjtcR6OU4XF2HuiVeriEdELNcnvRZSk1Q8RMqy4lE= +cloud.google.com/go/functions v1.15.3/go.mod h1:r/AMHwBheapkkySEhiZYLDBwVJCdlRwsm4ieJu35/Ug= +cloud.google.com/go/functions v1.15.4/go.mod h1:CAsTc3VlRMVvx+XqXxKqVevguqJpnVip4DdonFsX28I= +cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM= +cloud.google.com/go/gaming v1.6.0/go.mod h1:YMU1GEvA39Qt3zWGyAVA9bpYz/yAhTvaQ1t2sK4KPUA= +cloud.google.com/go/gaming v1.7.0/go.mod h1:LrB8U7MHdGgFG851iHAfqUdLcKBdQ55hzXy9xBJz0+w= +cloud.google.com/go/gaming v1.8.0/go.mod h1:xAqjS8b7jAVW0KFYeRUxngo9My3f33kFmua++Pi+ggM= +cloud.google.com/go/gaming v1.9.0/go.mod h1:Fc7kEmCObylSWLO334NcO+O9QMDyz+TKC4v1D7X+Bc0= +cloud.google.com/go/gaming v1.10.1/go.mod h1:XQQvtfP8Rb9Rxnxm5wFVpAp9zCQkJi2bLIb7iHGwB3s= +cloud.google.com/go/gkebackup v0.2.0/go.mod h1:XKvv/4LfG829/B8B7xRkk8zRrOEbKtEam6yNfuQNH60= +cloud.google.com/go/gkebackup v0.3.0/go.mod h1:n/E671i1aOQvUxT541aTkCwExO/bTer2HDlj4TsBRAo= +cloud.google.com/go/gkebackup v0.4.0/go.mod h1:byAyBGUwYGEEww7xsbnUTBHIYcOPy/PgUWUtOeRm9Vg= +cloud.google.com/go/gkebackup v1.3.0/go.mod h1:vUDOu++N0U5qs4IhG1pcOnD1Mac79xWy6GoBFlWCWBU= +cloud.google.com/go/gkebackup v1.3.1/go.mod h1:vUDOu++N0U5qs4IhG1pcOnD1Mac79xWy6GoBFlWCWBU= +cloud.google.com/go/gkebackup v1.3.2/go.mod h1:OMZbXzEJloyXMC7gqdSB+EOEQ1AKcpGYvO3s1ec5ixk= +cloud.google.com/go/gkebackup v1.3.3/go.mod h1:eMk7/wVV5P22KBakhQnJxWSVftL1p4VBFLpv0kIft7I= +cloud.google.com/go/gkebackup v1.3.4/go.mod h1:gLVlbM8h/nHIs09ns1qx3q3eaXcGSELgNu1DWXYz1HI= +cloud.google.com/go/gkeconnect v0.5.0/go.mod h1:c5lsNAg5EwAy7fkqX/+goqFsU1Da/jQFqArp+wGNr/o= +cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9StAVvEULYK16A= +cloud.google.com/go/gkeconnect v0.7.0/go.mod h1:SNfmVqPkaEi3bF/B3CNZOAYPYdg7sU+obZ+QTky2Myw= +cloud.google.com/go/gkeconnect v0.8.1/go.mod h1:KWiK1g9sDLZqhxB2xEuPV8V9NYzrqTUmQR9shJHpOZw= +cloud.google.com/go/gkeconnect v0.8.2/go.mod h1:6nAVhwchBJYgQCXD2pHBFQNiJNyAd/wyxljpaa6ZPrY= +cloud.google.com/go/gkeconnect v0.8.3/go.mod h1:i9GDTrfzBSUZGCe98qSu1B8YB8qfapT57PenIb820Jo= +cloud.google.com/go/gkeconnect v0.8.4/go.mod h1:84hZz4UMlDCKl8ifVW8layK4WHlMAFeq8vbzjU0yJkw= +cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0= +cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0= +cloud.google.com/go/gkehub v0.11.0/go.mod h1:JOWHlmN+GHyIbuWQPl47/C2RFhnFKH38jH9Ascu3n0E= +cloud.google.com/go/gkehub v0.12.0/go.mod h1:djiIwwzTTBrF5NaXCGv3mf7klpEMcST17VBTVVDcuaw= +cloud.google.com/go/gkehub v0.14.1/go.mod h1:VEXKIJZ2avzrbd7u+zeMtW00Y8ddk/4V9511C9CQGTY= +cloud.google.com/go/gkehub v0.14.2/go.mod h1:iyjYH23XzAxSdhrbmfoQdePnlMj2EWcvnR+tHdBQsCY= +cloud.google.com/go/gkehub v0.14.3/go.mod h1:jAl6WafkHHW18qgq7kqcrXYzN08hXeK/Va3utN8VKg8= +cloud.google.com/go/gkehub v0.14.4/go.mod h1:Xispfu2MqnnFt8rV/2/3o73SK1snL8s9dYJ9G2oQMfc= +cloud.google.com/go/gkemulticloud v0.3.0/go.mod h1:7orzy7O0S+5kq95e4Hpn7RysVA7dPs8W/GgfUtsPbrA= +cloud.google.com/go/gkemulticloud v0.4.0/go.mod h1:E9gxVBnseLWCk24ch+P9+B2CoDFJZTyIgLKSalC7tuI= +cloud.google.com/go/gkemulticloud v0.5.0/go.mod h1:W0JDkiyi3Tqh0TJr//y19wyb1yf8llHVto2Htf2Ja3Y= +cloud.google.com/go/gkemulticloud v0.6.1/go.mod h1:kbZ3HKyTsiwqKX7Yw56+wUGwwNZViRnxWK2DVknXWfw= +cloud.google.com/go/gkemulticloud v1.0.0/go.mod h1:kbZ3HKyTsiwqKX7Yw56+wUGwwNZViRnxWK2DVknXWfw= +cloud.google.com/go/gkemulticloud v1.0.1/go.mod h1:AcrGoin6VLKT/fwZEYuqvVominLriQBCKmbjtnbMjG8= +cloud.google.com/go/gkemulticloud v1.0.2/go.mod h1:+ee5VXxKb3H1l4LZAcgWB/rvI16VTNTrInWxDjAGsGo= +cloud.google.com/go/gkemulticloud v1.0.3/go.mod h1:7NpJBN94U6DY1xHIbsDqB2+TFZUfjLUKLjUX8NGLor0= +cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc= +cloud.google.com/go/grafeas v0.3.0/go.mod h1:P7hgN24EyONOTMyeJH6DxG4zD7fwiYa5Q6GUgyFSOU8= +cloud.google.com/go/gsuiteaddons v1.3.0/go.mod h1:EUNK/J1lZEZO8yPtykKxLXI6JSVN2rg9bN8SXOa0bgM= +cloud.google.com/go/gsuiteaddons v1.4.0/go.mod h1:rZK5I8hht7u7HxFQcFei0+AtfS9uSushomRlg+3ua1o= +cloud.google.com/go/gsuiteaddons v1.5.0/go.mod h1:TFCClYLd64Eaa12sFVmUyG62tk4mdIsI7pAnSXRkcFo= +cloud.google.com/go/gsuiteaddons v1.6.1/go.mod h1:CodrdOqRZcLp5WOwejHWYBjZvfY0kOphkAKpF/3qdZY= +cloud.google.com/go/gsuiteaddons v1.6.2/go.mod h1:K65m9XSgs8hTF3X9nNTPi8IQueljSdYo9F+Mi+s4MyU= +cloud.google.com/go/gsuiteaddons v1.6.3/go.mod h1:sCFJkZoMrLZT3JTb8uJqgKPNshH2tfXeCwTFRebTq48= +cloud.google.com/go/gsuiteaddons v1.6.4/go.mod h1:rxtstw7Fx22uLOXBpsvb9DUbC+fiXs7rF4U29KHM/pE= +cloud.google.com/go/iam v0.1.0/go.mod h1:vcUNEa0pEm0qRVpmWepWaFMIAI8/hjB9mO8rNCJtF6c= +cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= +cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc= +cloud.google.com/go/iam v0.6.0/go.mod h1:+1AH33ueBne5MzYccyMHtEKqLE4/kJOibtffMHDMFMc= +cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQEYOeg= +cloud.google.com/go/iam v0.8.0/go.mod h1:lga0/y3iH6CX7sYqypWJ33hf7kkfXJag67naqGESjkE= +cloud.google.com/go/iam v0.11.0/go.mod h1:9PiLDanza5D+oWFZiH1uG+RnRCfEGKoyl6yo4cgWZGY= +cloud.google.com/go/iam v0.12.0/go.mod h1:knyHGviacl11zrtZUoDuYpDgLjvr28sLQaG0YB2GYAY= +cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0= +cloud.google.com/go/iam v1.0.1/go.mod h1:yR3tmSL8BcZB4bxByRv2jkSIahVmCtfKZwLYGBalRE8= +cloud.google.com/go/iam v1.1.0/go.mod h1:nxdHjaKfCr7fNYx/HJMM8LgiMugmveWlkatear5gVyk= +cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= +cloud.google.com/go/iam v1.1.2/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= +cloud.google.com/go/iam v1.1.3/go.mod h1:3khUlaBXfPKKe7huYgEpDn6FtgRyMEqbkvBxrQyY5SE= +cloud.google.com/go/iam v1.1.4/go.mod h1:l/rg8l1AaA+VFMho/HYx2Vv6xinPSLMF8qfhRPIZ0L8= +cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI= +cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8= +cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhygBEc= +cloud.google.com/go/iap v1.5.0/go.mod h1:UH/CGgKd4KyohZL5Pt0jSKE4m3FR51qg6FKQ/z/Ix9A= +cloud.google.com/go/iap v1.6.0/go.mod h1:NSuvI9C/j7UdjGjIde7t7HBz+QTwBcapPE07+sSRcLk= +cloud.google.com/go/iap v1.7.0/go.mod h1:beqQx56T9O1G1yNPph+spKpNibDlYIiIixiqsQXxLIo= +cloud.google.com/go/iap v1.7.1/go.mod h1:WapEwPc7ZxGt2jFGB/C/bm+hP0Y6NXzOYGjpPnmMS74= +cloud.google.com/go/iap v1.8.1/go.mod h1:sJCbeqg3mvWLqjZNsI6dfAtbbV1DL2Rl7e1mTyXYREQ= +cloud.google.com/go/iap v1.9.0/go.mod h1:01OFxd1R+NFrg78S+hoPV5PxEzv22HXaNqUUlmNHFuY= +cloud.google.com/go/iap v1.9.1/go.mod h1:SIAkY7cGMLohLSdBR25BuIxO+I4fXJiL06IBL7cy/5Q= +cloud.google.com/go/iap v1.9.2/go.mod h1:GwDTOs047PPSnwRD0Us5FKf4WDRcVvHg1q9WVkKBhdI= +cloud.google.com/go/iap v1.9.3/go.mod h1:DTdutSZBqkkOm2HEOTBzhZxh2mwwxshfD/h3yofAiCw= +cloud.google.com/go/ids v1.1.0/go.mod h1:WIuwCaYVOzHIj2OhN9HAwvW+DBdmUAdcWlFxRl+KubM= +cloud.google.com/go/ids v1.2.0/go.mod h1:5WXvp4n25S0rA/mQWAg1YEEBBq6/s+7ml1RDCW1IrcY= +cloud.google.com/go/ids v1.3.0/go.mod h1:JBdTYwANikFKaDP6LtW5JAi4gubs57SVNQjemdt6xV4= +cloud.google.com/go/ids v1.4.1/go.mod h1:np41ed8YMU8zOgv53MMMoCntLTn2lF+SUzlM+O3u/jw= +cloud.google.com/go/ids v1.4.2/go.mod h1:3vw8DX6YddRu9BncxuzMyWn0g8+ooUjI2gslJ7FH3vk= +cloud.google.com/go/ids v1.4.3/go.mod h1:9CXPqI3GedjmkjbMWCUhMZ2P2N7TUMzAkVXYEH2orYU= +cloud.google.com/go/ids v1.4.4/go.mod h1:z+WUc2eEl6S/1aZWzwtVNWoSZslgzPxAboS0lZX0HjI= +cloud.google.com/go/iot v1.3.0/go.mod h1:r7RGh2B61+B8oz0AGE+J72AhA0G7tdXItODWsaA2oLs= +cloud.google.com/go/iot v1.4.0/go.mod h1:dIDxPOn0UvNDUMD8Ger7FIaTuvMkj+aGk94RPP0iV+g= +cloud.google.com/go/iot v1.5.0/go.mod h1:mpz5259PDl3XJthEmh9+ap0affn/MqNSP4My77Qql9o= +cloud.google.com/go/iot v1.6.0/go.mod h1:IqdAsmE2cTYYNO1Fvjfzo9po179rAtJeVGUvkLN3rLE= +cloud.google.com/go/iot v1.7.1/go.mod h1:46Mgw7ev1k9KqK1ao0ayW9h0lI+3hxeanz+L1zmbbbk= +cloud.google.com/go/iot v1.7.2/go.mod h1:q+0P5zr1wRFpw7/MOgDXrG/HVA+l+cSwdObffkrpnSg= +cloud.google.com/go/iot v1.7.3/go.mod h1:t8itFchkol4VgNbHnIq9lXoOOtHNR3uAACQMYbN9N4I= +cloud.google.com/go/iot v1.7.4/go.mod h1:3TWqDVvsddYBG++nHSZmluoCAVGr1hAcabbWZNKEZLk= +cloud.google.com/go/kms v1.4.0/go.mod h1:fajBHndQ+6ubNw6Ss2sSd+SWvjL26RNo/dr7uxsnnOA= +cloud.google.com/go/kms v1.5.0/go.mod h1:QJS2YY0eJGBg3mnDfuaCyLauWwBJiHRboYxJ++1xJNg= +cloud.google.com/go/kms v1.6.0/go.mod h1:Jjy850yySiasBUDi6KFUwUv2n1+o7QZFyuUJg6OgjA0= +cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4jMAg= +cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w= +cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24= +cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI= +cloud.google.com/go/kms v1.11.0/go.mod h1:hwdiYC0xjnWsKQQCQQmIQnS9asjYVSK6jtXm+zFqXLM= +cloud.google.com/go/kms v1.12.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= +cloud.google.com/go/kms v1.15.0/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= +cloud.google.com/go/kms v1.15.2/go.mod h1:3hopT4+7ooWRCjc2DxgnpESFxhIraaI2IpAVUEhbT/w= +cloud.google.com/go/kms v1.15.3/go.mod h1:AJdXqHxS2GlPyduM99s9iGqi2nwbviBbhV/hdmt4iOQ= +cloud.google.com/go/kms v1.15.4/go.mod h1:L3Sdj6QTHK8dfwK5D1JLsAyELsNMnd3tAIwGS4ltKpc= +cloud.google.com/go/kms v1.15.5/go.mod h1:cU2H5jnp6G2TDpUGZyqTCoy1n16fbubHZjmVXSMtwDI= +cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= +cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= +cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE= +cloud.google.com/go/language v1.8.0/go.mod h1:qYPVHf7SPoNNiCL2Dr0FfEFNil1qi3pQEyygwpgVKB8= +cloud.google.com/go/language v1.9.0/go.mod h1:Ns15WooPM5Ad/5no/0n81yUetis74g3zrbeJBE+ptUY= +cloud.google.com/go/language v1.10.1/go.mod h1:CPp94nsdVNiQEt1CNjF5WkTcisLiHPyIbMhvR8H2AW0= +cloud.google.com/go/language v1.11.0/go.mod h1:uDx+pFDdAKTY8ehpWbiXyQdz8tDSYLJbQcXsCkjYyvQ= +cloud.google.com/go/language v1.11.1/go.mod h1:Xyid9MG9WOX3utvDbpX7j3tXDmmDooMyMDqgUVpH17U= +cloud.google.com/go/language v1.12.1/go.mod h1:zQhalE2QlQIxbKIZt54IASBzmZpN/aDASea5zl1l+J4= +cloud.google.com/go/language v1.12.2/go.mod h1:9idWapzr/JKXBBQ4lWqVX/hcadxB194ry20m/bTrhWc= +cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= +cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= +cloud.google.com/go/lifesciences v0.8.0/go.mod h1:lFxiEOMqII6XggGbOnKiyZ7IBwoIqA84ClvoezaA/bo= +cloud.google.com/go/lifesciences v0.9.1/go.mod h1:hACAOd1fFbCGLr/+weUKRAJas82Y4vrL3O5326N//Wc= +cloud.google.com/go/lifesciences v0.9.2/go.mod h1:QHEOO4tDzcSAzeJg7s2qwnLM2ji8IRpQl4p6m5Z9yTA= +cloud.google.com/go/lifesciences v0.9.3/go.mod h1:gNGBOJV80IWZdkd+xz4GQj4mbqaz737SCLHn2aRhQKM= +cloud.google.com/go/lifesciences v0.9.4/go.mod h1:bhm64duKhMi7s9jR9WYJYvjAFJwRqNj+Nia7hF0Z7JA= +cloud.google.com/go/logging v1.6.1/go.mod h1:5ZO0mHHbvm8gEmeEUHrmDlTDSu5imF6MUP9OfilNXBw= +cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M= +cloud.google.com/go/logging v1.8.1/go.mod h1:TJjR+SimHwuC8MZ9cjByQulAMgni+RkXeI3wwctHJEI= +cloud.google.com/go/longrunning v0.1.1/go.mod h1:UUFxuDWkv22EuY93jjmDMFT5GPQKeFVJBIF6QlTqdsE= +cloud.google.com/go/longrunning v0.3.0/go.mod h1:qth9Y41RRSUE69rDcOn6DdK3HfQfsUI0YSmW3iIlLJc= +cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo= +cloud.google.com/go/longrunning v0.4.2/go.mod h1:OHrnaYyLUV6oqwh0xiS7e5sLQhP1m0QU9R+WhGDMgIQ= +cloud.google.com/go/longrunning v0.5.0/go.mod h1:0JNuqRShmscVAhIACGtskSAWtqtOoPkwP0YF1oVEchc= +cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc= +cloud.google.com/go/longrunning v0.5.2/go.mod h1:nqo6DQbNV2pXhGDbDMoN2bWz68MjZUzqv2YttZiveCs= +cloud.google.com/go/longrunning v0.5.3/go.mod h1:y/0ga59EYu58J6SHmmQOvekvND2qODbu8ywBBW7EK7Y= +cloud.google.com/go/longrunning v0.5.4/go.mod h1:zqNVncI0BOP8ST6XQD1+VcvuShMmq7+xFSzOL++V0dI= +cloud.google.com/go/managedidentities v1.3.0/go.mod h1:UzlW3cBOiPrzucO5qWkNkh0w33KFtBJU281hacNvsdE= +cloud.google.com/go/managedidentities v1.4.0/go.mod h1:NWSBYbEMgqmbZsLIyKvxrYbtqOsxY1ZrGM+9RgDqInM= +cloud.google.com/go/managedidentities v1.5.0/go.mod h1:+dWcZ0JlUmpuxpIDfyP5pP5y0bLdRwOS4Lp7gMni/LA= +cloud.google.com/go/managedidentities v1.6.1/go.mod h1:h/irGhTN2SkZ64F43tfGPMbHnypMbu4RB3yl8YcuEak= +cloud.google.com/go/managedidentities v1.6.2/go.mod h1:5c2VG66eCa0WIq6IylRk3TBW83l161zkFvCj28X7jn8= +cloud.google.com/go/managedidentities v1.6.3/go.mod h1:tewiat9WLyFN0Fi7q1fDD5+0N4VUoL0SCX0OTCthZq4= +cloud.google.com/go/managedidentities v1.6.4/go.mod h1:WgyaECfHmF00t/1Uk8Oun3CQ2PGUtjc3e9Alh79wyiM= +cloud.google.com/go/maps v0.1.0/go.mod h1:BQM97WGyfw9FWEmQMpZ5T6cpovXXSd1cGmFma94eubI= +cloud.google.com/go/maps v0.6.0/go.mod h1:o6DAMMfb+aINHz/p/jbcY+mYeXBoZoxTfdSQ8VAJaCw= +cloud.google.com/go/maps v0.7.0/go.mod h1:3GnvVl3cqeSvgMcpRlQidXsPYuDGQ8naBis7MVzpXsY= +cloud.google.com/go/maps v1.3.0/go.mod h1:6mWTUv+WhnOwAgjVsSW2QPPECmW+s3PcRyOa9vgG/5s= +cloud.google.com/go/maps v1.4.0/go.mod h1:6mWTUv+WhnOwAgjVsSW2QPPECmW+s3PcRyOa9vgG/5s= +cloud.google.com/go/maps v1.4.1/go.mod h1:BxSa0BnW1g2U2gNdbq5zikLlHUuHW0GFWh7sgML2kIY= +cloud.google.com/go/maps v1.5.1/go.mod h1:NPMZw1LJwQZYCfz4y+EIw+SI+24A4bpdFJqdKVr0lt4= +cloud.google.com/go/maps v1.6.1/go.mod h1:4+buOHhYXFBp58Zj/K+Lc1rCmJssxxF4pJ5CJnhdz18= +cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= +cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= +cloud.google.com/go/mediatranslation v0.7.0/go.mod h1:LCnB/gZr90ONOIQLgSXagp8XUW1ODs2UmUMvcgMfI2I= +cloud.google.com/go/mediatranslation v0.8.1/go.mod h1:L/7hBdEYbYHQJhX2sldtTO5SZZ1C1vkapubj0T2aGig= +cloud.google.com/go/mediatranslation v0.8.2/go.mod h1:c9pUaDRLkgHRx3irYE5ZC8tfXGrMYwNZdmDqKMSfFp8= +cloud.google.com/go/mediatranslation v0.8.3/go.mod h1:F9OnXTy336rteOEywtY7FOqCk+J43o2RF638hkOQl4Y= +cloud.google.com/go/mediatranslation v0.8.4/go.mod h1:9WstgtNVAdN53m6TQa5GjIjLqKQPXe74hwSCxUP6nj4= +cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE= +cloud.google.com/go/memcache v1.5.0/go.mod h1:dk3fCK7dVo0cUU2c36jKb4VqKPS22BTkf81Xq617aWM= +cloud.google.com/go/memcache v1.6.0/go.mod h1:XS5xB0eQZdHtTuTF9Hf8eJkKtR3pVRCcvJwtm68T3rA= +cloud.google.com/go/memcache v1.7.0/go.mod h1:ywMKfjWhNtkQTxrWxCkCFkoPjLHPW6A7WOTVI8xy3LY= +cloud.google.com/go/memcache v1.9.0/go.mod h1:8oEyzXCu+zo9RzlEaEjHl4KkgjlNDaXbCQeQWlzNFJM= +cloud.google.com/go/memcache v1.10.1/go.mod h1:47YRQIarv4I3QS5+hoETgKO40InqzLP6kpNLvyXuyaA= +cloud.google.com/go/memcache v1.10.2/go.mod h1:f9ZzJHLBrmd4BkguIAa/l/Vle6uTHzHokdnzSWOdQ6A= +cloud.google.com/go/memcache v1.10.3/go.mod h1:6z89A41MT2DVAW0P4iIRdu5cmRTsbsFn4cyiIx8gbwo= +cloud.google.com/go/memcache v1.10.4/go.mod h1:v/d8PuC8d1gD6Yn5+I3INzLR01IDn0N4Ym56RgikSI0= +cloud.google.com/go/metastore v1.5.0/go.mod h1:2ZNrDcQwghfdtCwJ33nM0+GrBGlVuh8rakL3vdPY3XY= +cloud.google.com/go/metastore v1.6.0/go.mod h1:6cyQTls8CWXzk45G55x57DVQ9gWg7RiH65+YgPsNh9s= +cloud.google.com/go/metastore v1.7.0/go.mod h1:s45D0B4IlsINu87/AsWiEVYbLaIMeUSoxlKKDqBGFS8= +cloud.google.com/go/metastore v1.8.0/go.mod h1:zHiMc4ZUpBiM7twCIFQmJ9JMEkDSyZS9U12uf7wHqSI= +cloud.google.com/go/metastore v1.10.0/go.mod h1:fPEnH3g4JJAk+gMRnrAnoqyv2lpUCqJPWOodSaf45Eo= +cloud.google.com/go/metastore v1.11.1/go.mod h1:uZuSo80U3Wd4zi6C22ZZliOUJ3XeM/MlYi/z5OAOWRA= +cloud.google.com/go/metastore v1.12.0/go.mod h1:uZuSo80U3Wd4zi6C22ZZliOUJ3XeM/MlYi/z5OAOWRA= +cloud.google.com/go/metastore v1.13.0/go.mod h1:URDhpG6XLeh5K+Glq0NOt74OfrPKTwS62gEPZzb5SOk= +cloud.google.com/go/metastore v1.13.1/go.mod h1:IbF62JLxuZmhItCppcIfzBBfUFq0DIB9HPDoLgWrVOU= +cloud.google.com/go/metastore v1.13.2/go.mod h1:KS59dD+unBji/kFebVp8XU/quNSyo8b6N6tPGspKszA= +cloud.google.com/go/metastore v1.13.3/go.mod h1:K+wdjXdtkdk7AQg4+sXS8bRrQa9gcOr+foOMF2tqINE= +cloud.google.com/go/monitoring v1.7.0/go.mod h1:HpYse6kkGo//7p6sT0wsIC6IBDET0RhIsnmlA53dvEk= +cloud.google.com/go/monitoring v1.8.0/go.mod h1:E7PtoMJ1kQXWxPjB6mv2fhC5/15jInuulFdYYtlcvT4= +cloud.google.com/go/monitoring v1.12.0/go.mod h1:yx8Jj2fZNEkL/GYZyTLS4ZtZEZN8WtDEiEqG4kLK50w= +cloud.google.com/go/monitoring v1.13.0/go.mod h1:k2yMBAB1H9JT/QETjNkgdCGD9bPF712XiLTVr+cBrpw= +cloud.google.com/go/monitoring v1.15.1/go.mod h1:lADlSAlFdbqQuwwpaImhsJXu1QSdd3ojypXrFSMr2rM= +cloud.google.com/go/monitoring v1.16.0/go.mod h1:Ptp15HgAyM1fNICAojDMoNc/wUmn67mLHQfyqbw+poY= +cloud.google.com/go/monitoring v1.16.1/go.mod h1:6HsxddR+3y9j+o/cMJH6q/KJ/CBTvM/38L/1m7bTRJ4= +cloud.google.com/go/monitoring v1.16.2/go.mod h1:B44KGwi4ZCF8Rk/5n+FWeispDXoKSk9oss2QNlXJBgc= +cloud.google.com/go/monitoring v1.16.3/go.mod h1:KwSsX5+8PnXv5NJnICZzW2R8pWTis8ypC4zmdRD63Tw= +cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA= +cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o= +cloud.google.com/go/networkconnectivity v1.6.0/go.mod h1:OJOoEXW+0LAxHh89nXd64uGG+FbQoeH8DtxCHVOMlaM= +cloud.google.com/go/networkconnectivity v1.7.0/go.mod h1:RMuSbkdbPwNMQjB5HBWD5MpTBnNm39iAVpC3TmsExt8= +cloud.google.com/go/networkconnectivity v1.10.0/go.mod h1:UP4O4sWXJG13AqrTdQCD9TnLGEbtNRqjuaaA7bNjF5E= +cloud.google.com/go/networkconnectivity v1.11.0/go.mod h1:iWmDD4QF16VCDLXUqvyspJjIEtBR/4zq5hwnY2X3scM= +cloud.google.com/go/networkconnectivity v1.12.1/go.mod h1:PelxSWYM7Sh9/guf8CFhi6vIqf19Ir/sbfZRUwXh92E= +cloud.google.com/go/networkconnectivity v1.13.0/go.mod h1:SAnGPes88pl7QRLUen2HmcBSE9AowVAcdug8c0RSBFk= +cloud.google.com/go/networkconnectivity v1.14.0/go.mod h1:SAnGPes88pl7QRLUen2HmcBSE9AowVAcdug8c0RSBFk= +cloud.google.com/go/networkconnectivity v1.14.1/go.mod h1:LyGPXR742uQcDxZ/wv4EI0Vu5N6NKJ77ZYVnDe69Zug= +cloud.google.com/go/networkconnectivity v1.14.2/go.mod h1:5UFlwIisZylSkGG1AdwK/WZUaoz12PKu6wODwIbFzJo= +cloud.google.com/go/networkconnectivity v1.14.3/go.mod h1:4aoeFdrJpYEXNvrnfyD5kIzs8YtHg945Og4koAjHQek= +cloud.google.com/go/networkmanagement v1.4.0/go.mod h1:Q9mdLLRn60AsOrPc8rs8iNV6OHXaGcDdsIQe1ohekq8= +cloud.google.com/go/networkmanagement v1.5.0/go.mod h1:ZnOeZ/evzUdUsnvRt792H0uYEnHQEMaz+REhhzJRcf4= +cloud.google.com/go/networkmanagement v1.6.0/go.mod h1:5pKPqyXjB/sgtvB5xqOemumoQNB7y95Q7S+4rjSOPYY= +cloud.google.com/go/networkmanagement v1.8.0/go.mod h1:Ho/BUGmtyEqrttTgWEe7m+8vDdK74ibQc+Be0q7Fof0= +cloud.google.com/go/networkmanagement v1.9.0/go.mod h1:UTUaEU9YwbCAhhz3jEOHr+2/K/MrBk2XxOLS89LQzFw= +cloud.google.com/go/networkmanagement v1.9.1/go.mod h1:CCSYgrQQvW73EJawO2QamemYcOb57LvrDdDU51F0mcI= +cloud.google.com/go/networkmanagement v1.9.2/go.mod h1:iDGvGzAoYRghhp4j2Cji7sF899GnfGQcQRQwgVOWnDw= +cloud.google.com/go/networkmanagement v1.9.3/go.mod h1:y7WMO1bRLaP5h3Obm4tey+NquUvB93Co1oh4wpL+XcU= +cloud.google.com/go/networksecurity v0.5.0/go.mod h1:xS6fOCoqpVC5zx15Z/MqkfDwH4+m/61A3ODiDV1xmiQ= +cloud.google.com/go/networksecurity v0.6.0/go.mod h1:Q5fjhTr9WMI5mbpRYEbiexTzROf7ZbDzvzCrNl14nyU= +cloud.google.com/go/networksecurity v0.7.0/go.mod h1:mAnzoxx/8TBSyXEeESMy9OOYwo1v+gZ5eMRnsT5bC8k= +cloud.google.com/go/networksecurity v0.8.0/go.mod h1:B78DkqsxFG5zRSVuwYFRZ9Xz8IcQ5iECsNrPn74hKHU= +cloud.google.com/go/networksecurity v0.9.1/go.mod h1:MCMdxOKQ30wsBI1eI659f9kEp4wuuAueoC9AJKSPWZQ= +cloud.google.com/go/networksecurity v0.9.2/go.mod h1:jG0SeAttWzPMUILEHDUvFYdQTl8L/E/KC8iZDj85lEI= +cloud.google.com/go/networksecurity v0.9.3/go.mod h1:l+C0ynM6P+KV9YjOnx+kk5IZqMSLccdBqW6GUoF4p/0= +cloud.google.com/go/networksecurity v0.9.4/go.mod h1:E9CeMZ2zDsNBkr8axKSYm8XyTqNhiCHf1JO/Vb8mD1w= +cloud.google.com/go/notebooks v1.2.0/go.mod h1:9+wtppMfVPUeJ8fIWPOq1UnATHISkGXGqTkxeieQ6UY= +cloud.google.com/go/notebooks v1.3.0/go.mod h1:bFR5lj07DtCPC7YAAJ//vHskFBxA5JzYlH68kXVdk34= +cloud.google.com/go/notebooks v1.4.0/go.mod h1:4QPMngcwmgb6uw7Po99B2xv5ufVoIQ7nOGDyL4P8AgA= +cloud.google.com/go/notebooks v1.5.0/go.mod h1:q8mwhnP9aR8Hpfnrc5iN5IBhrXUy8S2vuYs+kBJ/gu0= +cloud.google.com/go/notebooks v1.7.0/go.mod h1:PVlaDGfJgj1fl1S3dUwhFMXFgfYGhYQt2164xOMONmE= +cloud.google.com/go/notebooks v1.8.0/go.mod h1:Lq6dYKOYOWUCTvw5t2q1gp1lAp0zxAxRycayS0iJcqQ= +cloud.google.com/go/notebooks v1.9.1/go.mod h1:zqG9/gk05JrzgBt4ghLzEepPHNwE5jgPcHZRKhlC1A8= +cloud.google.com/go/notebooks v1.10.0/go.mod h1:SOPYMZnttHxqot0SGSFSkRrwE29eqnKPBJFqgWmiK2k= +cloud.google.com/go/notebooks v1.10.1/go.mod h1:5PdJc2SgAybE76kFQCWrTfJolCOUQXF97e+gteUUA6A= +cloud.google.com/go/notebooks v1.11.1/go.mod h1:V2Zkv8wX9kDCGRJqYoI+bQAaoVeE5kSiz4yYHd2yJwQ= +cloud.google.com/go/notebooks v1.11.2/go.mod h1:z0tlHI/lREXC8BS2mIsUeR3agM1AkgLiS+Isov3SS70= +cloud.google.com/go/optimization v1.1.0/go.mod h1:5po+wfvX5AQlPznyVEZjGJTMr4+CAkJf2XSTQOOl9l4= +cloud.google.com/go/optimization v1.2.0/go.mod h1:Lr7SOHdRDENsh+WXVmQhQTrzdu9ybg0NecjHidBq6xs= +cloud.google.com/go/optimization v1.3.1/go.mod h1:IvUSefKiwd1a5p0RgHDbWCIbDFgKuEdB+fPPuP0IDLI= +cloud.google.com/go/optimization v1.4.1/go.mod h1:j64vZQP7h9bO49m2rVaTVoNM0vEBEN5eKPUPbZyXOrk= +cloud.google.com/go/optimization v1.5.0/go.mod h1:evo1OvTxeBRBu6ydPlrIRizKY/LJKo/drDMMRKqGEUU= +cloud.google.com/go/optimization v1.5.1/go.mod h1:NC0gnUD5MWVAF7XLdoYVPmYYVth93Q6BUzqAq3ZwtV8= +cloud.google.com/go/optimization v1.6.1/go.mod h1:hH2RYPTTM9e9zOiTaYPTiGPcGdNZVnBSBxjIAJzUkqo= +cloud.google.com/go/optimization v1.6.2/go.mod h1:mWNZ7B9/EyMCcwNl1frUGEuY6CPijSkz88Fz2vwKPOY= +cloud.google.com/go/orchestration v1.3.0/go.mod h1:Sj5tq/JpWiB//X/q3Ngwdl5K7B7Y0KZ7bfv0wL6fqVA= +cloud.google.com/go/orchestration v1.4.0/go.mod h1:6W5NLFWs2TlniBphAViZEVhrXRSMgUGDfW7vrWKvsBk= +cloud.google.com/go/orchestration v1.6.0/go.mod h1:M62Bevp7pkxStDfFfTuCOaXgaaqRAga1yKyoMtEoWPQ= +cloud.google.com/go/orchestration v1.8.1/go.mod h1:4sluRF3wgbYVRqz7zJ1/EUNc90TTprliq9477fGobD8= +cloud.google.com/go/orchestration v1.8.2/go.mod h1:T1cP+6WyTmh6LSZzeUhvGf0uZVmJyTx7t8z7Vg87+A0= +cloud.google.com/go/orchestration v1.8.3/go.mod h1:xhgWAYqlbYjlz2ftbFghdyqENYW+JXuhBx9KsjMoGHs= +cloud.google.com/go/orchestration v1.8.4/go.mod h1:d0lywZSVYtIoSZXb0iFjv9SaL13PGyVOKDxqGxEf/qI= +cloud.google.com/go/orgpolicy v1.4.0/go.mod h1:xrSLIV4RePWmP9P3tBl8S93lTmlAxjm06NSm2UTmKvE= +cloud.google.com/go/orgpolicy v1.5.0/go.mod h1:hZEc5q3wzwXJaKrsx5+Ewg0u1LxJ51nNFlext7Tanwc= +cloud.google.com/go/orgpolicy v1.10.0/go.mod h1:w1fo8b7rRqlXlIJbVhOMPrwVljyuW5mqssvBtU18ONc= +cloud.google.com/go/orgpolicy v1.11.0/go.mod h1:2RK748+FtVvnfuynxBzdnyu7sygtoZa1za/0ZfpOs1M= +cloud.google.com/go/orgpolicy v1.11.1/go.mod h1:8+E3jQcpZJQliP+zaFfayC2Pg5bmhuLK755wKhIIUCE= +cloud.google.com/go/orgpolicy v1.11.2/go.mod h1:biRDpNwfyytYnmCRWZWxrKF22Nkz9eNVj9zyaBdpm1o= +cloud.google.com/go/orgpolicy v1.11.3/go.mod h1:oKAtJ/gkMjum5icv2aujkP4CxROxPXsBbYGCDbPO8MM= +cloud.google.com/go/orgpolicy v1.11.4/go.mod h1:0+aNV/nrfoTQ4Mytv+Aw+stBDBjNf4d8fYRA9herfJI= +cloud.google.com/go/osconfig v1.7.0/go.mod h1:oVHeCeZELfJP7XLxcBGTMBvRO+1nQ5tFG9VQTmYS2Fs= +cloud.google.com/go/osconfig v1.8.0/go.mod h1:EQqZLu5w5XA7eKizepumcvWx+m8mJUhEwiPqWiZeEdg= +cloud.google.com/go/osconfig v1.9.0/go.mod h1:Yx+IeIZJ3bdWmzbQU4fxNl8xsZ4amB+dygAwFPlvnNo= +cloud.google.com/go/osconfig v1.10.0/go.mod h1:uMhCzqC5I8zfD9zDEAfvgVhDS8oIjySWh+l4WK6GnWw= +cloud.google.com/go/osconfig v1.11.0/go.mod h1:aDICxrur2ogRd9zY5ytBLV89KEgT2MKB2L/n6x1ooPw= +cloud.google.com/go/osconfig v1.12.0/go.mod h1:8f/PaYzoS3JMVfdfTubkowZYGmAhUCjjwnjqWI7NVBc= +cloud.google.com/go/osconfig v1.12.1/go.mod h1:4CjBxND0gswz2gfYRCUoUzCm9zCABp91EeTtWXyz0tE= +cloud.google.com/go/osconfig v1.12.2/go.mod h1:eh9GPaMZpI6mEJEuhEjUJmaxvQ3gav+fFEJon1Y8Iw0= +cloud.google.com/go/osconfig v1.12.3/go.mod h1:L/fPS8LL6bEYUi1au832WtMnPeQNT94Zo3FwwV1/xGM= +cloud.google.com/go/osconfig v1.12.4/go.mod h1:B1qEwJ/jzqSRslvdOCI8Kdnp0gSng0xW4LOnIebQomA= +cloud.google.com/go/oslogin v1.4.0/go.mod h1:YdgMXWRaElXz/lDk1Na6Fh5orF7gvmJ0FGLIs9LId4E= +cloud.google.com/go/oslogin v1.5.0/go.mod h1:D260Qj11W2qx/HVF29zBg+0fd6YCSjSqLUkY/qEenQU= +cloud.google.com/go/oslogin v1.6.0/go.mod h1:zOJ1O3+dTU8WPlGEkFSh7qeHPPSoxrcMbbK1Nm2iX70= +cloud.google.com/go/oslogin v1.7.0/go.mod h1:e04SN0xO1UNJ1M5GP0vzVBFicIe4O53FOfcixIqTyXo= +cloud.google.com/go/oslogin v1.9.0/go.mod h1:HNavntnH8nzrn8JCTT5fj18FuJLFJc4NaZJtBnQtKFs= +cloud.google.com/go/oslogin v1.10.1/go.mod h1:x692z7yAue5nE7CsSnoG0aaMbNoRJRXO4sn73R+ZqAs= +cloud.google.com/go/oslogin v1.11.0/go.mod h1:8GMTJs4X2nOAUVJiPGqIWVcDaF0eniEto3xlOxaboXE= +cloud.google.com/go/oslogin v1.11.1/go.mod h1:OhD2icArCVNUxKqtK0mcSmKL7lgr0LVlQz+v9s1ujTg= +cloud.google.com/go/oslogin v1.12.1/go.mod h1:VfwTeFJGbnakxAY236eN8fsnglLiVXndlbcNomY4iZU= +cloud.google.com/go/oslogin v1.12.2/go.mod h1:CQ3V8Jvw4Qo4WRhNPF0o+HAM4DiLuE27Ul9CX9g2QdY= +cloud.google.com/go/phishingprotection v0.5.0/go.mod h1:Y3HZknsK9bc9dMi+oE8Bim0lczMU6hrX0UpADuMefr0= +cloud.google.com/go/phishingprotection v0.6.0/go.mod h1:9Y3LBLgy0kDTcYET8ZH3bq/7qni15yVUoAxiFxnlSUA= +cloud.google.com/go/phishingprotection v0.7.0/go.mod h1:8qJI4QKHoda/sb/7/YmMQ2omRLSLYSu9bU0EKCNI+Lk= +cloud.google.com/go/phishingprotection v0.8.1/go.mod h1:AxonW7GovcA8qdEk13NfHq9hNx5KPtfxXNeUxTDxB6I= +cloud.google.com/go/phishingprotection v0.8.2/go.mod h1:LhJ91uyVHEYKSKcMGhOa14zMMWfbEdxG032oT6ECbC8= +cloud.google.com/go/phishingprotection v0.8.3/go.mod h1:3B01yO7T2Ra/TMojifn8EoGd4G9jts/6cIO0DgDY9J8= +cloud.google.com/go/phishingprotection v0.8.4/go.mod h1:6b3kNPAc2AQ6jZfFHioZKg9MQNybDg4ixFd4RPZZ2nE= +cloud.google.com/go/policytroubleshooter v1.3.0/go.mod h1:qy0+VwANja+kKrjlQuOzmlvscn4RNsAc0e15GGqfMxg= +cloud.google.com/go/policytroubleshooter v1.4.0/go.mod h1:DZT4BcRw3QoO8ota9xw/LKtPa8lKeCByYeKTIf/vxdE= +cloud.google.com/go/policytroubleshooter v1.5.0/go.mod h1:Rz1WfV+1oIpPdN2VvvuboLVRsB1Hclg3CKQ53j9l8vw= +cloud.google.com/go/policytroubleshooter v1.6.0/go.mod h1:zYqaPTsmfvpjm5ULxAyD/lINQxJ0DDsnWOP/GZ7xzBc= +cloud.google.com/go/policytroubleshooter v1.7.1/go.mod h1:0NaT5v3Ag1M7U5r0GfDCpUFkWd9YqpubBWsQlhanRv0= +cloud.google.com/go/policytroubleshooter v1.8.0/go.mod h1:tmn5Ir5EToWe384EuboTcVQT7nTag2+DuH3uHmKd1HU= +cloud.google.com/go/policytroubleshooter v1.9.0/go.mod h1:+E2Lga7TycpeSTj2FsH4oXxTnrbHJGRlKhVZBLGgU64= +cloud.google.com/go/policytroubleshooter v1.9.1/go.mod h1:MYI8i0bCrL8cW+VHN1PoiBTyNZTstCg2WUw2eVC4c4U= +cloud.google.com/go/policytroubleshooter v1.10.1/go.mod h1:5C0rhT3TDZVxAu8813bwmTvd57Phbl8mr9F4ipOsxEs= +cloud.google.com/go/policytroubleshooter v1.10.2/go.mod h1:m4uF3f6LseVEnMV6nknlN2vYGRb+75ylQwJdnOXfnv0= +cloud.google.com/go/privatecatalog v0.5.0/go.mod h1:XgosMUvvPyxDjAVNDYxJ7wBW8//hLDDYmnsNcMGq1K0= +cloud.google.com/go/privatecatalog v0.6.0/go.mod h1:i/fbkZR0hLN29eEWiiwue8Pb+GforiEIBnV9yrRUOKI= +cloud.google.com/go/privatecatalog v0.7.0/go.mod h1:2s5ssIFO69F5csTXcwBP7NPFTZvps26xGzvQ2PQaBYg= +cloud.google.com/go/privatecatalog v0.8.0/go.mod h1:nQ6pfaegeDAq/Q5lrfCQzQLhubPiZhSaNhIgfJlnIXs= +cloud.google.com/go/privatecatalog v0.9.1/go.mod h1:0XlDXW2unJXdf9zFz968Hp35gl/bhF4twwpXZAW50JA= +cloud.google.com/go/privatecatalog v0.9.2/go.mod h1:RMA4ATa8IXfzvjrhhK8J6H4wwcztab+oZph3c6WmtFc= +cloud.google.com/go/privatecatalog v0.9.3/go.mod h1:K5pn2GrVmOPjXz3T26mzwXLcKivfIJ9R5N79AFCF9UE= +cloud.google.com/go/privatecatalog v0.9.4/go.mod h1:SOjm93f+5hp/U3PqMZAHTtBtluqLygrDrVO8X8tYtG0= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/pubsub v1.26.0/go.mod h1:QgBH3U/jdJy/ftjPhTkyXNj543Tin1pRYcdcPRnFIRI= +cloud.google.com/go/pubsub v1.27.1/go.mod h1:hQN39ymbV9geqBnfQq6Xf63yNhUAhv9CZhzp5O6qsW0= +cloud.google.com/go/pubsub v1.28.0/go.mod h1:vuXFpwaVoIPQMGXqRyUQigu/AX1S3IWugR9xznmcXX8= +cloud.google.com/go/pubsub v1.30.0/go.mod h1:qWi1OPS0B+b5L+Sg6Gmc9zD1Y+HaM0MdUr7LsupY1P4= +cloud.google.com/go/pubsub v1.32.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc= +cloud.google.com/go/pubsub v1.33.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc= +cloud.google.com/go/pubsublite v1.5.0/go.mod h1:xapqNQ1CuLfGi23Yda/9l4bBCKz/wC3KIJ5gKcxveZg= +cloud.google.com/go/pubsublite v1.6.0/go.mod h1:1eFCS0U11xlOuMFV/0iBqw3zP12kddMeCbj/F3FSj9k= +cloud.google.com/go/pubsublite v1.7.0/go.mod h1:8hVMwRXfDfvGm3fahVbtDbiLePT3gpoiJYJY+vxWxVM= +cloud.google.com/go/pubsublite v1.8.1/go.mod h1:fOLdU4f5xldK4RGJrBMm+J7zMWNj/k4PxwEZXy39QS0= +cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4= +cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o= +cloud.google.com/go/recaptchaenterprise/v2 v2.2.0/go.mod h1:/Zu5jisWGeERrd5HnlS3EUGb/D335f9k51B/FVil0jk= +cloud.google.com/go/recaptchaenterprise/v2 v2.3.0/go.mod h1:O9LwGCjrhGHBQET5CA7dd5NwwNQUErSgEDit1DLNTdo= +cloud.google.com/go/recaptchaenterprise/v2 v2.4.0/go.mod h1:Am3LHfOuBstrLrNCBrlI5sbwx9LBg3te2N6hGvHn2mE= +cloud.google.com/go/recaptchaenterprise/v2 v2.5.0/go.mod h1:O8LzcHXN3rz0j+LBC91jrwI3R+1ZSZEWrfL7XHgNo9U= +cloud.google.com/go/recaptchaenterprise/v2 v2.6.0/go.mod h1:RPauz9jeLtB3JVzg6nCbe12qNoaa8pXc4d/YukAmcnA= +cloud.google.com/go/recaptchaenterprise/v2 v2.7.0/go.mod h1:19wVj/fs5RtYtynAPJdDTb69oW0vNHYDBTbB4NvMD9c= +cloud.google.com/go/recaptchaenterprise/v2 v2.7.2/go.mod h1:kR0KjsJS7Jt1YSyWFkseQ756D45kaYNTlDPPaRAvDBU= +cloud.google.com/go/recaptchaenterprise/v2 v2.8.0/go.mod h1:QuE8EdU9dEnesG8/kG3XuJyNsjEqMlMzg3v3scCJ46c= +cloud.google.com/go/recaptchaenterprise/v2 v2.8.1/go.mod h1:JZYZJOeZjgSSTGP4uz7NlQ4/d1w5hGmksVgM0lbEij0= +cloud.google.com/go/recaptchaenterprise/v2 v2.8.2/go.mod h1:kpaDBOpkwD4G0GVMzG1W6Doy1tFFC97XAV3xy+Rd/pw= +cloud.google.com/go/recaptchaenterprise/v2 v2.8.3/go.mod h1:Dak54rw6lC2gBY8FBznpOCAR58wKf+R+ZSJRoeJok4w= +cloud.google.com/go/recommendationengine v0.5.0/go.mod h1:E5756pJcVFeVgaQv3WNpImkFP8a+RptV6dDLGPILjvg= +cloud.google.com/go/recommendationengine v0.6.0/go.mod h1:08mq2umu9oIqc7tDy8sx+MNJdLG0fUi3vaSVbztHgJ4= +cloud.google.com/go/recommendationengine v0.7.0/go.mod h1:1reUcE3GIu6MeBz/h5xZJqNLuuVjNg1lmWMPyjatzac= +cloud.google.com/go/recommendationengine v0.8.1/go.mod h1:MrZihWwtFYWDzE6Hz5nKcNz3gLizXVIDI/o3G1DLcrE= +cloud.google.com/go/recommendationengine v0.8.2/go.mod h1:QIybYHPK58qir9CV2ix/re/M//Ty10OxjnnhWdaKS1Y= +cloud.google.com/go/recommendationengine v0.8.3/go.mod h1:m3b0RZV02BnODE9FeSvGv1qibFo8g0OnmB/RMwYy4V8= +cloud.google.com/go/recommendationengine v0.8.4/go.mod h1:GEteCf1PATl5v5ZsQ60sTClUE0phbWmo3rQ1Js8louU= +cloud.google.com/go/recommender v1.5.0/go.mod h1:jdoeiBIVrJe9gQjwd759ecLJbxCDED4A6p+mqoqDvTg= +cloud.google.com/go/recommender v1.6.0/go.mod h1:+yETpm25mcoiECKh9DEScGzIRyDKpZ0cEhWGo+8bo+c= +cloud.google.com/go/recommender v1.7.0/go.mod h1:XLHs/W+T8olwlGOgfQenXBTbIseGclClff6lhFVe9Bs= +cloud.google.com/go/recommender v1.8.0/go.mod h1:PkjXrTT05BFKwxaUxQmtIlrtj0kph108r02ZZQ5FE70= +cloud.google.com/go/recommender v1.9.0/go.mod h1:PnSsnZY7q+VL1uax2JWkt/UegHssxjUVVCrX52CuEmQ= +cloud.google.com/go/recommender v1.10.1/go.mod h1:XFvrE4Suqn5Cq0Lf+mCP6oBHD/yRMA8XxP5sb7Q7gpA= +cloud.google.com/go/recommender v1.11.0/go.mod h1:kPiRQhPyTJ9kyXPCG6u/dlPLbYfFlkwHNRwdzPVAoII= +cloud.google.com/go/recommender v1.11.1/go.mod h1:sGwFFAyI57v2Hc5LbIj+lTwXipGu9NW015rkaEM5B18= +cloud.google.com/go/recommender v1.11.2/go.mod h1:AeoJuzOvFR/emIcXdVFkspVXVTYpliRCmKNYDnyBv6Y= +cloud.google.com/go/recommender v1.11.3/go.mod h1:+FJosKKJSId1MBFeJ/TTyoGQZiEelQQIZMKYYD8ruK4= +cloud.google.com/go/redis v1.7.0/go.mod h1:V3x5Jq1jzUcg+UNsRvdmsfuFnit1cfe3Z/PGyq/lm4Y= +cloud.google.com/go/redis v1.8.0/go.mod h1:Fm2szCDavWzBk2cDKxrkmWBqoCiL1+Ctwq7EyqBCA/A= +cloud.google.com/go/redis v1.9.0/go.mod h1:HMYQuajvb2D0LvMgZmLDZW8V5aOC/WxstZHiy4g8OiA= +cloud.google.com/go/redis v1.10.0/go.mod h1:ThJf3mMBQtW18JzGgh41/Wld6vnDDc/F/F35UolRZPM= +cloud.google.com/go/redis v1.11.0/go.mod h1:/X6eicana+BWcUda5PpwZC48o37SiFVTFSs0fWAJ7uQ= +cloud.google.com/go/redis v1.13.1/go.mod h1:VP7DGLpE91M6bcsDdMuyCm2hIpB6Vp2hI090Mfd1tcg= +cloud.google.com/go/redis v1.13.2/go.mod h1:0Hg7pCMXS9uz02q+LoEVl5dNHUkIQv+C/3L76fandSA= +cloud.google.com/go/redis v1.13.3/go.mod h1:vbUpCKUAZSYzFcWKmICnYgRAhTFg9r+djWqFxDYXi4U= +cloud.google.com/go/redis v1.14.1/go.mod h1:MbmBxN8bEnQI4doZPC1BzADU4HGocHBk2de3SbgOkqs= +cloud.google.com/go/resourcemanager v1.3.0/go.mod h1:bAtrTjZQFJkiWTPDb1WBjzvc6/kifjj4QBYuKCCoqKA= +cloud.google.com/go/resourcemanager v1.4.0/go.mod h1:MwxuzkumyTX7/a3n37gmsT3py7LIXwrShilPh3P1tR0= +cloud.google.com/go/resourcemanager v1.5.0/go.mod h1:eQoXNAiAvCf5PXxWxXjhKQoTMaUSNrEfg+6qdf/wots= +cloud.google.com/go/resourcemanager v1.6.0/go.mod h1:YcpXGRs8fDzcUl1Xw8uOVmI8JEadvhRIkoXXUNVYcVo= +cloud.google.com/go/resourcemanager v1.7.0/go.mod h1:HlD3m6+bwhzj9XCouqmeiGuni95NTrExfhoSrkC/3EI= +cloud.google.com/go/resourcemanager v1.9.1/go.mod h1:dVCuosgrh1tINZ/RwBufr8lULmWGOkPS8gL5gqyjdT8= +cloud.google.com/go/resourcemanager v1.9.2/go.mod h1:OujkBg1UZg5lX2yIyMo5Vz9O5hf7XQOSV7WxqxxMtQE= +cloud.google.com/go/resourcemanager v1.9.3/go.mod h1:IqrY+g0ZgLsihcfcmqSe+RKp1hzjXwG904B92AwBz6U= +cloud.google.com/go/resourcemanager v1.9.4/go.mod h1:N1dhP9RFvo3lUfwtfLWVxfUWq8+KUQ+XLlHLH3BoFJ0= +cloud.google.com/go/resourcesettings v1.3.0/go.mod h1:lzew8VfESA5DQ8gdlHwMrqZs1S9V87v3oCnKCWoOuQU= +cloud.google.com/go/resourcesettings v1.4.0/go.mod h1:ldiH9IJpcrlC3VSuCGvjR5of/ezRrOxFtpJoJo5SmXg= +cloud.google.com/go/resourcesettings v1.5.0/go.mod h1:+xJF7QSG6undsQDfsCJyqWXyBwUoJLhetkRMDRnIoXA= +cloud.google.com/go/resourcesettings v1.6.1/go.mod h1:M7mk9PIZrC5Fgsu1kZJci6mpgN8o0IUzVx3eJU3y4Jw= +cloud.google.com/go/resourcesettings v1.6.2/go.mod h1:mJIEDd9MobzunWMeniaMp6tzg4I2GvD3TTmPkc8vBXk= +cloud.google.com/go/resourcesettings v1.6.3/go.mod h1:pno5D+7oDYkMWZ5BpPsb4SO0ewg3IXcmmrUZaMJrFic= +cloud.google.com/go/resourcesettings v1.6.4/go.mod h1:pYTTkWdv2lmQcjsthbZLNBP4QW140cs7wqA3DuqErVI= +cloud.google.com/go/retail v1.8.0/go.mod h1:QblKS8waDmNUhghY2TI9O3JLlFk8jybHeV4BF19FrE4= +cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92nHwlBUY= +cloud.google.com/go/retail v1.10.0/go.mod h1:2gDk9HsL4HMS4oZwz6daui2/jmKvqShXKQuB2RZ+cCc= +cloud.google.com/go/retail v1.11.0/go.mod h1:MBLk1NaWPmh6iVFSz9MeKG/Psyd7TAgm6y/9L2B4x9Y= +cloud.google.com/go/retail v1.12.0/go.mod h1:UMkelN/0Z8XvKymXFbD4EhFJlYKRx1FGhQkVPU5kF14= +cloud.google.com/go/retail v1.14.1/go.mod h1:y3Wv3Vr2k54dLNIrCzenyKG8g8dhvhncT2NcNjb/6gE= +cloud.google.com/go/retail v1.14.2/go.mod h1:W7rrNRChAEChX336QF7bnMxbsjugcOCPU44i5kbLiL8= +cloud.google.com/go/retail v1.14.3/go.mod h1:Omz2akDHeSlfCq8ArPKiBxlnRpKEBjUH386JYFLUvXo= +cloud.google.com/go/retail v1.14.4/go.mod h1:l/N7cMtY78yRnJqp5JW8emy7MB1nz8E4t2yfOmklYfg= +cloud.google.com/go/run v0.2.0/go.mod h1:CNtKsTA1sDcnqqIFR3Pb5Tq0usWxJJvsWOCPldRU3Do= +cloud.google.com/go/run v0.3.0/go.mod h1:TuyY1+taHxTjrD0ZFk2iAR+xyOXEA0ztb7U3UNA0zBo= +cloud.google.com/go/run v0.8.0/go.mod h1:VniEnuBwqjigv0A7ONfQUaEItaiCRVujlMqerPPiktM= +cloud.google.com/go/run v0.9.0/go.mod h1:Wwu+/vvg8Y+JUApMwEDfVfhetv30hCG4ZwDR/IXl2Qg= +cloud.google.com/go/run v1.2.0/go.mod h1:36V1IlDzQ0XxbQjUx6IYbw8H3TJnWvhii963WW3B/bo= +cloud.google.com/go/run v1.3.0/go.mod h1:S/osX/4jIPZGg+ssuqh6GNgg7syixKe3YnprwehzHKU= +cloud.google.com/go/run v1.3.1/go.mod h1:cymddtZOzdwLIAsmS6s+Asl4JoXIDm/K1cpZTxV4Q5s= +cloud.google.com/go/run v1.3.2/go.mod h1:SIhmqArbjdU/D9M6JoHaAqnAMKLFtXaVdNeq04NjnVE= +cloud.google.com/go/run v1.3.3/go.mod h1:WSM5pGyJ7cfYyYbONVQBN4buz42zFqwG67Q3ch07iK4= +cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s= +cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI= +cloud.google.com/go/scheduler v1.6.0/go.mod h1:SgeKVM7MIwPn3BqtcBntpLyrIJftQISRrYB5ZtT+KOk= +cloud.google.com/go/scheduler v1.7.0/go.mod h1:jyCiBqWW956uBjjPMMuX09n3x37mtyPJegEWKxRsn44= +cloud.google.com/go/scheduler v1.8.0/go.mod h1:TCET+Y5Gp1YgHT8py4nlg2Sew8nUHMqcpousDgXJVQc= +cloud.google.com/go/scheduler v1.9.0/go.mod h1:yexg5t+KSmqu+njTIh3b7oYPheFtBWGcbVUYF1GGMIc= +cloud.google.com/go/scheduler v1.10.1/go.mod h1:R63Ldltd47Bs4gnhQkmNDse5w8gBRrhObZ54PxgR2Oo= +cloud.google.com/go/scheduler v1.10.2/go.mod h1:O3jX6HRH5eKCA3FutMw375XHZJudNIKVonSCHv7ropY= +cloud.google.com/go/scheduler v1.10.3/go.mod h1:8ANskEM33+sIbpJ+R4xRfw/jzOG+ZFE8WVLy7/yGvbc= +cloud.google.com/go/scheduler v1.10.4/go.mod h1:MTuXcrJC9tqOHhixdbHDFSIuh7xZF2IysiINDuiq6NI= +cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA= +cloud.google.com/go/secretmanager v1.8.0/go.mod h1:hnVgi/bN5MYHd3Gt0SPuTPPp5ENina1/LxM+2W9U9J4= +cloud.google.com/go/secretmanager v1.9.0/go.mod h1:b71qH2l1yHmWQHt9LC80akm86mX8AL6X1MA01dW8ht4= +cloud.google.com/go/secretmanager v1.10.0/go.mod h1:MfnrdvKMPNra9aZtQFvBcvRU54hbPD8/HayQdlUgJpU= +cloud.google.com/go/secretmanager v1.11.1/go.mod h1:znq9JlXgTNdBeQk9TBW/FnR/W4uChEKGeqQWAJ8SXFw= +cloud.google.com/go/secretmanager v1.11.2/go.mod h1:MQm4t3deoSub7+WNwiC4/tRYgDBHJgJPvswqQVB1Vss= +cloud.google.com/go/secretmanager v1.11.3/go.mod h1:0bA2o6FabmShrEy328i67aV+65XoUFFSmVeLBn/51jI= +cloud.google.com/go/secretmanager v1.11.4/go.mod h1:wreJlbS9Zdq21lMzWmJ0XhWW2ZxgPeahsqeV/vZoJ3w= +cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4= +cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= +cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= +cloud.google.com/go/security v1.9.0/go.mod h1:6Ta1bO8LXI89nZnmnsZGp9lVoVWXqsVbIq/t9dzI+2Q= +cloud.google.com/go/security v1.10.0/go.mod h1:QtOMZByJVlibUT2h9afNDWRZ1G96gVywH8T5GUSb9IA= +cloud.google.com/go/security v1.12.0/go.mod h1:rV6EhrpbNHrrxqlvW0BWAIawFWq3X90SduMJdFwtLB8= +cloud.google.com/go/security v1.13.0/go.mod h1:Q1Nvxl1PAgmeW0y3HTt54JYIvUdtcpYKVfIB8AOMZ+0= +cloud.google.com/go/security v1.15.1/go.mod h1:MvTnnbsWnehoizHi09zoiZob0iCHVcL4AUBj76h9fXA= +cloud.google.com/go/security v1.15.2/go.mod h1:2GVE/v1oixIRHDaClVbHuPcZwAqFM28mXuAKCfMgYIg= +cloud.google.com/go/security v1.15.3/go.mod h1:gQ/7Q2JYUZZgOzqKtw9McShH+MjNvtDpL40J1cT+vBs= +cloud.google.com/go/security v1.15.4/go.mod h1:oN7C2uIZKhxCLiAAijKUCuHLZbIt/ghYEo8MqwD/Ty4= +cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU= +cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc= +cloud.google.com/go/securitycenter v1.15.0/go.mod h1:PeKJ0t8MoFmmXLXWm41JidyzI3PJjd8sXWaVqg43WWk= +cloud.google.com/go/securitycenter v1.16.0/go.mod h1:Q9GMaLQFUD+5ZTabrbujNWLtSLZIZF7SAR0wWECrjdk= +cloud.google.com/go/securitycenter v1.18.1/go.mod h1:0/25gAzCM/9OL9vVx4ChPeM/+DlfGQJDwBy/UC8AKK0= +cloud.google.com/go/securitycenter v1.19.0/go.mod h1:LVLmSg8ZkkyaNy4u7HCIshAngSQ8EcIRREP3xBnyfag= +cloud.google.com/go/securitycenter v1.23.0/go.mod h1:8pwQ4n+Y9WCWM278R8W3nF65QtY172h4S8aXyI9/hsQ= +cloud.google.com/go/securitycenter v1.23.1/go.mod h1:w2HV3Mv/yKhbXKwOCu2i8bCuLtNP1IMHuiYQn4HJq5s= +cloud.google.com/go/securitycenter v1.24.1/go.mod h1:3h9IdjjHhVMXdQnmqzVnM7b0wMn/1O/U20eWVpMpZjI= +cloud.google.com/go/securitycenter v1.24.2/go.mod h1:l1XejOngggzqwr4Fa2Cn+iWZGf+aBLTXtB/vXjy5vXM= +cloud.google.com/go/servicecontrol v1.4.0/go.mod h1:o0hUSJ1TXJAmi/7fLJAedOovnujSEvjKCAFNXPQ1RaU= +cloud.google.com/go/servicecontrol v1.5.0/go.mod h1:qM0CnXHhyqKVuiZnGKrIurvVImCs8gmqWsDoqe9sU1s= +cloud.google.com/go/servicecontrol v1.10.0/go.mod h1:pQvyvSRh7YzUF2efw7H87V92mxU8FnFDawMClGCNuAA= +cloud.google.com/go/servicecontrol v1.11.0/go.mod h1:kFmTzYzTUIuZs0ycVqRHNaNhgR+UMUpw9n02l/pY+mc= +cloud.google.com/go/servicecontrol v1.11.1/go.mod h1:aSnNNlwEFBY+PWGQ2DoM0JJ/QUXqV5/ZD9DOLB7SnUk= +cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs= +cloud.google.com/go/servicedirectory v1.5.0/go.mod h1:QMKFL0NUySbpZJ1UZs3oFAmdvVxhhxB6eJ/Vlp73dfg= +cloud.google.com/go/servicedirectory v1.6.0/go.mod h1:pUlbnWsLH9c13yGkxCmfumWEPjsRs1RlmJ4pqiNjVL4= +cloud.google.com/go/servicedirectory v1.7.0/go.mod h1:5p/U5oyvgYGYejufvxhgwjL8UVXjkuw7q5XcG10wx1U= +cloud.google.com/go/servicedirectory v1.8.0/go.mod h1:srXodfhY1GFIPvltunswqXpVxFPpZjf8nkKQT7XcXaY= +cloud.google.com/go/servicedirectory v1.9.0/go.mod h1:29je5JjiygNYlmsGz8k6o+OZ8vd4f//bQLtvzkPPT/s= +cloud.google.com/go/servicedirectory v1.10.1/go.mod h1:Xv0YVH8s4pVOwfM/1eMTl0XJ6bzIOSLDt8f8eLaGOxQ= +cloud.google.com/go/servicedirectory v1.11.0/go.mod h1:Xv0YVH8s4pVOwfM/1eMTl0XJ6bzIOSLDt8f8eLaGOxQ= +cloud.google.com/go/servicedirectory v1.11.1/go.mod h1:tJywXimEWzNzw9FvtNjsQxxJ3/41jseeILgwU/QLrGI= +cloud.google.com/go/servicedirectory v1.11.2/go.mod h1:KD9hCLhncWRV5jJphwIpugKwM5bn1x0GyVVD4NO8mGg= +cloud.google.com/go/servicedirectory v1.11.3/go.mod h1:LV+cHkomRLr67YoQy3Xq2tUXBGOs5z5bPofdq7qtiAw= +cloud.google.com/go/servicemanagement v1.4.0/go.mod h1:d8t8MDbezI7Z2R1O/wu8oTggo3BI2GKYbdG4y/SJTco= +cloud.google.com/go/servicemanagement v1.5.0/go.mod h1:XGaCRe57kfqu4+lRxaFEAuqmjzF0r+gWHjWqKqBvKFo= +cloud.google.com/go/servicemanagement v1.6.0/go.mod h1:aWns7EeeCOtGEX4OvZUWCCJONRZeFKiptqKf1D0l/Jc= +cloud.google.com/go/servicemanagement v1.8.0/go.mod h1:MSS2TDlIEQD/fzsSGfCdJItQveu9NXnUniTrq/L8LK4= +cloud.google.com/go/serviceusage v1.3.0/go.mod h1:Hya1cozXM4SeSKTAgGXgj97GlqUvF5JaoXacR1JTP/E= +cloud.google.com/go/serviceusage v1.4.0/go.mod h1:SB4yxXSaYVuUBYUml6qklyONXNLt83U0Rb+CXyhjEeU= +cloud.google.com/go/serviceusage v1.5.0/go.mod h1:w8U1JvqUqwJNPEOTQjrMHkw3IaIFLoLsPLvsE3xueec= +cloud.google.com/go/serviceusage v1.6.0/go.mod h1:R5wwQcbOWsyuOfbP9tGdAnCAc6B9DRwPG1xtWMDeuPA= +cloud.google.com/go/shell v1.3.0/go.mod h1:VZ9HmRjZBsjLGXusm7K5Q5lzzByZmJHf1d0IWHEN5X4= +cloud.google.com/go/shell v1.4.0/go.mod h1:HDxPzZf3GkDdhExzD/gs8Grqk+dmYcEjGShZgYa9URw= +cloud.google.com/go/shell v1.6.0/go.mod h1:oHO8QACS90luWgxP3N9iZVuEiSF84zNyLytb+qE2f9A= +cloud.google.com/go/shell v1.7.1/go.mod h1:u1RaM+huXFaTojTbW4g9P5emOrrmLE69KrxqQahKn4g= +cloud.google.com/go/shell v1.7.2/go.mod h1:KqRPKwBV0UyLickMn0+BY1qIyE98kKyI216sH/TuHmc= +cloud.google.com/go/shell v1.7.3/go.mod h1:cTTEz/JdaBsQAeTQ3B6HHldZudFoYBOqjteev07FbIc= +cloud.google.com/go/shell v1.7.4/go.mod h1:yLeXB8eKLxw0dpEmXQ/FjriYrBijNsONpwnWsdPqlKM= +cloud.google.com/go/spanner v1.41.0/go.mod h1:MLYDBJR/dY4Wt7ZaMIQ7rXOTLjYrmxLE/5ve9vFfWos= +cloud.google.com/go/spanner v1.44.0/go.mod h1:G8XIgYdOK+Fbcpbs7p2fiprDw4CaZX63whnSMLVBxjk= +cloud.google.com/go/spanner v1.45.0/go.mod h1:FIws5LowYz8YAE1J8fOS7DJup8ff7xJeetWEo5REA2M= +cloud.google.com/go/spanner v1.47.0/go.mod h1:IXsJwVW2j4UKs0eYDqodab6HgGuA1bViSqW4uH9lfUI= +cloud.google.com/go/spanner v1.49.0/go.mod h1:eGj9mQGK8+hkgSVbHNQ06pQ4oS+cyc4tXXd6Dif1KoM= +cloud.google.com/go/spanner v1.50.0/go.mod h1:eGj9mQGK8+hkgSVbHNQ06pQ4oS+cyc4tXXd6Dif1KoM= +cloud.google.com/go/spanner v1.51.0/go.mod h1:c5KNo5LQ1X5tJwma9rSQZsXNBDNvj4/n8BVc3LNahq0= +cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= +cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= +cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0= +cloud.google.com/go/speech v1.9.0/go.mod h1:xQ0jTcmnRFFM2RfX/U+rk6FQNUF6DQlydUSyoooSpco= +cloud.google.com/go/speech v1.14.1/go.mod h1:gEosVRPJ9waG7zqqnsHpYTOoAS4KouMRLDFMekpJ0J0= +cloud.google.com/go/speech v1.15.0/go.mod h1:y6oH7GhqCaZANH7+Oe0BhgIogsNInLlz542tg3VqeYI= +cloud.google.com/go/speech v1.17.1/go.mod h1:8rVNzU43tQvxDaGvqOhpDqgkJTFowBpDvCJ14kGlJYo= +cloud.google.com/go/speech v1.19.0/go.mod h1:8rVNzU43tQvxDaGvqOhpDqgkJTFowBpDvCJ14kGlJYo= +cloud.google.com/go/speech v1.19.1/go.mod h1:WcuaWz/3hOlzPFOVo9DUsblMIHwxP589y6ZMtaG+iAA= +cloud.google.com/go/speech v1.19.2/go.mod h1:2OYFfj+Ch5LWjsaSINuCZsre/789zlcCI3SY4oAi2oI= +cloud.google.com/go/speech v1.20.1/go.mod h1:wwolycgONvfz2EDU8rKuHRW3+wc9ILPsAWoikBEWavY= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= -dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= -dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= +cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= +cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= +cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y= +cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4= +cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E= +cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w= +cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I= +cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4= +cloud.google.com/go/storagetransfer v1.8.0/go.mod h1:JpegsHHU1eXg7lMHkvf+KE5XDJ7EQu0GwNJbbVGanEw= +cloud.google.com/go/storagetransfer v1.10.0/go.mod h1:DM4sTlSmGiNczmV6iZyceIh2dbs+7z2Ayg6YAiQlYfA= +cloud.google.com/go/storagetransfer v1.10.1/go.mod h1:rS7Sy0BtPviWYTTJVWCSV4QrbBitgPeuK4/FKa4IdLs= +cloud.google.com/go/storagetransfer v1.10.2/go.mod h1:meIhYQup5rg9juQJdyppnA/WLQCOguxtk1pr3/vBWzA= +cloud.google.com/go/storagetransfer v1.10.3/go.mod h1:Up8LY2p6X68SZ+WToswpQbQHnJpOty/ACcMafuey8gc= +cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw= +cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g= +cloud.google.com/go/talent v1.3.0/go.mod h1:CmcxwJ/PKfRgd1pBjQgU6W3YBwiewmUzQYH5HHmSCmM= +cloud.google.com/go/talent v1.4.0/go.mod h1:ezFtAgVuRf8jRsvyE6EwmbTK5LKciD4KVnHuDEFmOOA= +cloud.google.com/go/talent v1.5.0/go.mod h1:G+ODMj9bsasAEJkQSzO2uHQWXHHXUomArjWQQYkqK6c= +cloud.google.com/go/talent v1.6.2/go.mod h1:CbGvmKCG61mkdjcqTcLOkb2ZN1SrQI8MDyma2l7VD24= +cloud.google.com/go/talent v1.6.3/go.mod h1:xoDO97Qd4AK43rGjJvyBHMskiEf3KulgYzcH6YWOVoo= +cloud.google.com/go/talent v1.6.4/go.mod h1:QsWvi5eKeh6gG2DlBkpMaFYZYrYUnIpo34f6/V5QykY= +cloud.google.com/go/talent v1.6.5/go.mod h1:Mf5cma696HmE+P2BWJ/ZwYqeJXEeU0UqjHFXVLadEDI= +cloud.google.com/go/texttospeech v1.4.0/go.mod h1:FX8HQHA6sEpJ7rCMSfXuzBcysDAuWusNNNvN9FELDd8= +cloud.google.com/go/texttospeech v1.5.0/go.mod h1:oKPLhR4n4ZdQqWKURdwxMy0uiTS1xU161C8W57Wkea4= +cloud.google.com/go/texttospeech v1.6.0/go.mod h1:YmwmFT8pj1aBblQOI3TfKmwibnsfvhIBzPXcW4EBovc= +cloud.google.com/go/texttospeech v1.7.1/go.mod h1:m7QfG5IXxeneGqTapXNxv2ItxP/FS0hCZBwXYqucgSk= +cloud.google.com/go/texttospeech v1.7.2/go.mod h1:VYPT6aTOEl3herQjFHYErTlSZJ4vB00Q2ZTmuVgluD4= +cloud.google.com/go/texttospeech v1.7.3/go.mod h1:Av/zpkcgWfXlDLRYob17lqMstGZ3GqlvJXqKMp2u8so= +cloud.google.com/go/texttospeech v1.7.4/go.mod h1:vgv0002WvR4liGuSd5BJbWy4nDn5Ozco0uJymY5+U74= +cloud.google.com/go/tpu v1.3.0/go.mod h1:aJIManG0o20tfDQlRIej44FcwGGl/cD0oiRyMKG19IQ= +cloud.google.com/go/tpu v1.4.0/go.mod h1:mjZaX8p0VBgllCzF6wcU2ovUXN9TONFLd7iz227X2Xg= +cloud.google.com/go/tpu v1.5.0/go.mod h1:8zVo1rYDFuW2l4yZVY0R0fb/v44xLh3llq7RuV61fPM= +cloud.google.com/go/tpu v1.6.1/go.mod h1:sOdcHVIgDEEOKuqUoi6Fq53MKHJAtOwtz0GuKsWSH3E= +cloud.google.com/go/tpu v1.6.2/go.mod h1:NXh3NDwt71TsPZdtGWgAG5ThDfGd32X1mJ2cMaRlVgU= +cloud.google.com/go/tpu v1.6.3/go.mod h1:lxiueqfVMlSToZY1151IaZqp89ELPSrk+3HIQ5HRkbY= +cloud.google.com/go/tpu v1.6.4/go.mod h1:NAm9q3Rq2wIlGnOhpYICNI7+bpBebMJbh0yyp3aNw1Y= +cloud.google.com/go/trace v1.3.0/go.mod h1:FFUE83d9Ca57C+K8rDl/Ih8LwOzWIV1krKgxg6N0G28= +cloud.google.com/go/trace v1.4.0/go.mod h1:UG0v8UBqzusp+z63o7FK74SdFE+AXpCLdFb1rshXG+Y= +cloud.google.com/go/trace v1.8.0/go.mod h1:zH7vcsbAhklH8hWFig58HvxcxyQbaIqMarMg9hn5ECA= +cloud.google.com/go/trace v1.9.0/go.mod h1:lOQqpE5IaWY0Ixg7/r2SjixMuc6lfTFeO4QGM4dQWOk= +cloud.google.com/go/trace v1.10.1/go.mod h1:gbtL94KE5AJLH3y+WVpfWILmqgc6dXcqgNXdOPAQTYk= +cloud.google.com/go/trace v1.10.2/go.mod h1:NPXemMi6MToRFcSxRl2uDnu/qAlAQ3oULUphcHGh1vA= +cloud.google.com/go/trace v1.10.3/go.mod h1:Ke1bgfc73RV3wUFml+uQp7EsDw4dGaETLxB7Iq/r4CY= +cloud.google.com/go/trace v1.10.4/go.mod h1:Nso99EDIK8Mj5/zmB+iGr9dosS/bzWCJ8wGmE6TXNWY= +cloud.google.com/go/translate v1.3.0/go.mod h1:gzMUwRjvOqj5i69y/LYLd8RrNQk+hOmIXTi9+nb3Djs= +cloud.google.com/go/translate v1.4.0/go.mod h1:06Dn/ppvLD6WvA5Rhdp029IX2Mi3Mn7fpMRLPvXT5Wg= +cloud.google.com/go/translate v1.5.0/go.mod h1:29YDSYveqqpA1CQFD7NQuP49xymq17RXNaUDdc0mNu0= +cloud.google.com/go/translate v1.6.0/go.mod h1:lMGRudH1pu7I3n3PETiOB2507gf3HnfLV8qlkHZEyos= +cloud.google.com/go/translate v1.7.0/go.mod h1:lMGRudH1pu7I3n3PETiOB2507gf3HnfLV8qlkHZEyos= +cloud.google.com/go/translate v1.8.1/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs= +cloud.google.com/go/translate v1.8.2/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs= +cloud.google.com/go/translate v1.9.0/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs= +cloud.google.com/go/translate v1.9.1/go.mod h1:TWIgDZknq2+JD4iRcojgeDtqGEp154HN/uL6hMvylS8= +cloud.google.com/go/translate v1.9.2/go.mod h1:E3Tc6rUTsQkVrXW6avbUhKJSr7ZE3j7zNmqzXKHqRrY= +cloud.google.com/go/translate v1.9.3/go.mod h1:Kbq9RggWsbqZ9W5YpM94Q1Xv4dshw/gr/SHfsl5yCZ0= +cloud.google.com/go/video v1.8.0/go.mod h1:sTzKFc0bUSByE8Yoh8X0mn8bMymItVGPfTuUBUyRgxk= +cloud.google.com/go/video v1.9.0/go.mod h1:0RhNKFRF5v92f8dQt0yhaHrEuH95m068JYOvLZYnJSw= +cloud.google.com/go/video v1.12.0/go.mod h1:MLQew95eTuaNDEGriQdcYn0dTwf9oWiA4uYebxM5kdg= +cloud.google.com/go/video v1.13.0/go.mod h1:ulzkYlYgCp15N2AokzKjy7MQ9ejuynOJdf1tR5lGthk= +cloud.google.com/go/video v1.14.0/go.mod h1:SkgaXwT+lIIAKqWAJfktHT/RbgjSuY6DobxEp0C5yTQ= +cloud.google.com/go/video v1.15.0/go.mod h1:SkgaXwT+lIIAKqWAJfktHT/RbgjSuY6DobxEp0C5yTQ= +cloud.google.com/go/video v1.17.1/go.mod h1:9qmqPqw/Ib2tLqaeHgtakU+l5TcJxCJbhFXM7UJjVzU= +cloud.google.com/go/video v1.19.0/go.mod h1:9qmqPqw/Ib2tLqaeHgtakU+l5TcJxCJbhFXM7UJjVzU= +cloud.google.com/go/video v1.20.0/go.mod h1:U3G3FTnsvAGqglq9LxgqzOiBc/Nt8zis8S+850N2DUM= +cloud.google.com/go/video v1.20.1/go.mod h1:3gJS+iDprnj8SY6pe0SwLeC5BUW80NjhwX7INWEuWGU= +cloud.google.com/go/video v1.20.2/go.mod h1:lrixr5JeKNThsgfM9gqtwb6Okuqzfo4VrY2xynaViTA= +cloud.google.com/go/video v1.20.3/go.mod h1:TnH/mNZKVHeNtpamsSPygSR0iHtvrR/cW1/GDjN5+GU= +cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU= +cloud.google.com/go/videointelligence v1.7.0/go.mod h1:k8pI/1wAhjznARtVT9U1llUaFNPh7muw8QyOUpavru4= +cloud.google.com/go/videointelligence v1.8.0/go.mod h1:dIcCn4gVDdS7yte/w+koiXn5dWVplOZkE+xwG9FgK+M= +cloud.google.com/go/videointelligence v1.9.0/go.mod h1:29lVRMPDYHikk3v8EdPSaL8Ku+eMzDljjuvRs105XoU= +cloud.google.com/go/videointelligence v1.10.0/go.mod h1:LHZngX1liVtUhZvi2uNS0VQuOzNi2TkY1OakiuoUOjU= +cloud.google.com/go/videointelligence v1.11.1/go.mod h1:76xn/8InyQHarjTWsBR058SmlPCwQjgcvoW0aZykOvo= +cloud.google.com/go/videointelligence v1.11.2/go.mod h1:ocfIGYtIVmIcWk1DsSGOoDiXca4vaZQII1C85qtoplc= +cloud.google.com/go/videointelligence v1.11.3/go.mod h1:tf0NUaGTjU1iS2KEkGWvO5hRHeCkFK3nPo0/cOZhZAo= +cloud.google.com/go/videointelligence v1.11.4/go.mod h1:kPBMAYsTPFiQxMLmmjpcZUMklJp3nC9+ipJJtprccD8= +cloud.google.com/go/vision v1.2.0/go.mod h1:SmNwgObm5DpFBme2xpyOyasvBc1aPdjvMk2bBk0tKD0= +cloud.google.com/go/vision/v2 v2.2.0/go.mod h1:uCdV4PpN1S0jyCyq8sIM42v2Y6zOLkZs+4R9LrGYwFo= +cloud.google.com/go/vision/v2 v2.3.0/go.mod h1:UO61abBx9QRMFkNBbf1D8B1LXdS2cGiiCRx0vSpZoUo= +cloud.google.com/go/vision/v2 v2.4.0/go.mod h1:VtI579ll9RpVTrdKdkMzckdnwMyX2JILb+MhPqRbPsY= +cloud.google.com/go/vision/v2 v2.5.0/go.mod h1:MmaezXOOE+IWa+cS7OhRRLK2cNv1ZL98zhqFFZaaH2E= +cloud.google.com/go/vision/v2 v2.6.0/go.mod h1:158Hes0MvOS9Z/bDMSFpjwsUrZ5fPrdwuyyvKSGAGMY= +cloud.google.com/go/vision/v2 v2.7.0/go.mod h1:H89VysHy21avemp6xcf9b9JvZHVehWbET0uT/bcuY/0= +cloud.google.com/go/vision/v2 v2.7.2/go.mod h1:jKa8oSYBWhYiXarHPvP4USxYANYUEdEsQrloLjrSwJU= +cloud.google.com/go/vision/v2 v2.7.3/go.mod h1:V0IcLCY7W+hpMKXK1JYE0LV5llEqVmj+UJChjvA1WsM= +cloud.google.com/go/vision/v2 v2.7.4/go.mod h1:ynDKnsDN/0RtqkKxQZ2iatv3Dm9O+HfRb5djl7l4Vvw= +cloud.google.com/go/vision/v2 v2.7.5/go.mod h1:GcviprJLFfK9OLf0z8Gm6lQb6ZFUulvpZws+mm6yPLM= +cloud.google.com/go/vmmigration v1.2.0/go.mod h1:IRf0o7myyWFSmVR1ItrBSFLFD/rJkfDCUTO4vLlJvsE= +cloud.google.com/go/vmmigration v1.3.0/go.mod h1:oGJ6ZgGPQOFdjHuocGcLqX4lc98YQ7Ygq8YQwHh9A7g= +cloud.google.com/go/vmmigration v1.5.0/go.mod h1:E4YQ8q7/4W9gobHjQg4JJSgXXSgY21nA5r8swQV+Xxc= +cloud.google.com/go/vmmigration v1.6.0/go.mod h1:bopQ/g4z+8qXzichC7GW1w2MjbErL54rk3/C843CjfY= +cloud.google.com/go/vmmigration v1.7.1/go.mod h1:WD+5z7a/IpZ5bKK//YmT9E047AD+rjycCAvyMxGJbro= +cloud.google.com/go/vmmigration v1.7.2/go.mod h1:iA2hVj22sm2LLYXGPT1pB63mXHhrH1m/ruux9TwWLd8= +cloud.google.com/go/vmmigration v1.7.3/go.mod h1:ZCQC7cENwmSWlwyTrZcWivchn78YnFniEQYRWQ65tBo= +cloud.google.com/go/vmmigration v1.7.4/go.mod h1:yBXCmiLaB99hEl/G9ZooNx2GyzgsjKnw5fWcINRgD70= +cloud.google.com/go/vmwareengine v0.1.0/go.mod h1:RsdNEf/8UDvKllXhMz5J40XxDrNJNN4sagiox+OI208= +cloud.google.com/go/vmwareengine v0.2.2/go.mod h1:sKdctNJxb3KLZkE/6Oui94iw/xs9PRNC2wnNLXsHvH8= +cloud.google.com/go/vmwareengine v0.3.0/go.mod h1:wvoyMvNWdIzxMYSpH/R7y2h5h3WFkx6d+1TIsP39WGY= +cloud.google.com/go/vmwareengine v0.4.1/go.mod h1:Px64x+BvjPZwWuc4HdmVhoygcXqEkGHXoa7uyfTgSI0= +cloud.google.com/go/vmwareengine v1.0.0/go.mod h1:Px64x+BvjPZwWuc4HdmVhoygcXqEkGHXoa7uyfTgSI0= +cloud.google.com/go/vmwareengine v1.0.1/go.mod h1:aT3Xsm5sNx0QShk1Jc1B8OddrxAScYLwzVoaiXfdzzk= +cloud.google.com/go/vmwareengine v1.0.2/go.mod h1:xMSNjIk8/itYrz1JA8nV3Ajg4L4n3N+ugP8JKzk3OaA= +cloud.google.com/go/vmwareengine v1.0.3/go.mod h1:QSpdZ1stlbfKtyt6Iu19M6XRxjmXO+vb5a/R6Fvy2y4= +cloud.google.com/go/vpcaccess v1.4.0/go.mod h1:aQHVbTWDYUR1EbTApSVvMq1EnT57ppDmQzZ3imqIk4w= +cloud.google.com/go/vpcaccess v1.5.0/go.mod h1:drmg4HLk9NkZpGfCmZ3Tz0Bwnm2+DKqViEpeEpOq0m8= +cloud.google.com/go/vpcaccess v1.6.0/go.mod h1:wX2ILaNhe7TlVa4vC5xce1bCnqE3AeH27RV31lnmZes= +cloud.google.com/go/vpcaccess v1.7.1/go.mod h1:FogoD46/ZU+JUBX9D606X21EnxiszYi2tArQwLY4SXs= +cloud.google.com/go/vpcaccess v1.7.2/go.mod h1:mmg/MnRHv+3e8FJUjeSibVFvQF1cCy2MsFaFqxeY1HU= +cloud.google.com/go/vpcaccess v1.7.3/go.mod h1:YX4skyfW3NC8vI3Fk+EegJnlYFatA+dXK4o236EUCUc= +cloud.google.com/go/vpcaccess v1.7.4/go.mod h1:lA0KTvhtEOb/VOdnH/gwPuOzGgM+CWsmGu6bb4IoMKk= +cloud.google.com/go/webrisk v1.4.0/go.mod h1:Hn8X6Zr+ziE2aNd8SliSDWpEnSS1u4R9+xXZmFiHmGE= +cloud.google.com/go/webrisk v1.5.0/go.mod h1:iPG6fr52Tv7sGk0H6qUFzmL3HHZev1htXuWDEEsqMTg= +cloud.google.com/go/webrisk v1.6.0/go.mod h1:65sW9V9rOosnc9ZY7A7jsy1zoHS5W9IAXv6dGqhMQMc= +cloud.google.com/go/webrisk v1.7.0/go.mod h1:mVMHgEYH0r337nmt1JyLthzMr6YxwN1aAIEc2fTcq7A= +cloud.google.com/go/webrisk v1.8.0/go.mod h1:oJPDuamzHXgUc+b8SiHRcVInZQuybnvEW72PqTc7sSg= +cloud.google.com/go/webrisk v1.9.1/go.mod h1:4GCmXKcOa2BZcZPn6DCEvE7HypmEJcJkr4mtM+sqYPc= +cloud.google.com/go/webrisk v1.9.2/go.mod h1:pY9kfDgAqxUpDBOrG4w8deLfhvJmejKB0qd/5uQIPBc= +cloud.google.com/go/webrisk v1.9.3/go.mod h1:RUYXe9X/wBDXhVilss7EDLW9ZNa06aowPuinUOPCXH8= +cloud.google.com/go/webrisk v1.9.4/go.mod h1:w7m4Ib4C+OseSr2GL66m0zMBywdrVNTDKsdEsfMl7X0= +cloud.google.com/go/websecurityscanner v1.3.0/go.mod h1:uImdKm2wyeXQevQJXeh8Uun/Ym1VqworNDlBXQevGMo= +cloud.google.com/go/websecurityscanner v1.4.0/go.mod h1:ebit/Fp0a+FWu5j4JOmJEV8S8CzdTkAS77oDsiSqYWQ= +cloud.google.com/go/websecurityscanner v1.5.0/go.mod h1:Y6xdCPy81yi0SQnDY1xdNTNpfY1oAgXUlcfN3B3eSng= +cloud.google.com/go/websecurityscanner v1.6.1/go.mod h1:Njgaw3rttgRHXzwCB8kgCYqv5/rGpFCsBOvPbYgszpg= +cloud.google.com/go/websecurityscanner v1.6.2/go.mod h1:7YgjuU5tun7Eg2kpKgGnDuEOXWIrh8x8lWrJT4zfmas= +cloud.google.com/go/websecurityscanner v1.6.3/go.mod h1:x9XANObUFR+83Cya3g/B9M/yoHVqzxPnFtgF8yYGAXw= +cloud.google.com/go/websecurityscanner v1.6.4/go.mod h1:mUiyMQ+dGpPPRkHgknIZeCzSHJ45+fY4F52nZFDHm2o= +cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1Vwf+KmJENM0= +cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M= +cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M= +cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA= +cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw= +cloud.google.com/go/workflows v1.11.1/go.mod h1:Z+t10G1wF7h8LgdY/EmRcQY8ptBD/nvofaL6FqlET6g= +cloud.google.com/go/workflows v1.12.0/go.mod h1:PYhSk2b6DhZ508tj8HXKaBh+OFe+xdl0dHF/tJdzPQM= +cloud.google.com/go/workflows v1.12.1/go.mod h1:5A95OhD/edtOhQd/O741NSfIMezNTbCwLM1P1tBRGHM= +cloud.google.com/go/workflows v1.12.2/go.mod h1:+OmBIgNqYJPVggnMo9nqmizW0qEXHhmnAzK/CnBqsHc= +cloud.google.com/go/workflows v1.12.3/go.mod h1:fmOUeeqEwPzIU81foMjTRQIdwQHADi/vEr1cx9R1m5g= +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8= +git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20210715213245-6c3934b029d8/go.mod h1:CzsSbkDixRphAF5hS6wbMKq0eI6ccJRb7/A0M6JBnwg= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20221206110420-d395f97c4830/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0= +github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU= +github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v56.3.0+incompatible h1:DmhwMrUIvpeoTDiWRDtNHqelNUd3Og8JCkrLHQK795c= +github.com/Azure/azure-sdk-for-go v56.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0/go.mod h1:LRr2FzBTQlONPPa5HREE5+RjSCTXl7BwOvYOaWTqCaI= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0 h1:pPvTJ1dY0sA35JOeFq6TsY2xj6Z85Yo23Pj4wCCvu4o= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0/go.mod h1:mLfWfj8v3jfWKsL9G4eoBoXVcsqcIUTapmdKy7uGOp0= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= +github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= +github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= +github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= +github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= +github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= +github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= +github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= +github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= +github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= +github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/Microsoft/go-winio v0.4.17-0.20210324224401-5516f17a5958/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= +github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= +github.com/Microsoft/hcsshim v0.8.7-0.20190325164909-8abdbb8205e4/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= +github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ= +github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8= +github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg= +github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00= +github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600= +github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= +github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= +github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg= +github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= +github.com/Microsoft/hcsshim v0.9.3/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= +github.com/Microsoft/hcsshim v0.9.4/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= +github.com/Microsoft/hcsshim v0.9.6/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= +github.com/Microsoft/hcsshim v0.10.0-rc.7/go.mod h1:ILuwjA+kNW+MrN/w5un7n3mTqkwsFu4Bp05/okFUZlE= +github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU= +github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= +github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw= +github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= +github.com/ProtonMail/go-crypto v1.1.0-alpha.0 h1:nHGfwXmFvJrSR9xu8qL7BkO4DqTHXE9N5vPhgY2I+j0= +github.com/ProtonMail/go-crypto v1.1.0-alpha.0/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= +github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9/go.mod h1:JynElWSGnm/4RlzPXRlREEwqTHAN3T56Bv2ITsFT3gY= +github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T13YZdzov6OU0A1+RfKZiZN9ca6VeKdBdyDV+BY97Tk= +github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw= +github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM= +github.com/alecthomas/kingpin/v2 v2.4.0 h1:f48lwail6p8zpO1bC4TxtqACaGqHYA22qkHjHpqDjYY= +github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE= github.com/alecthomas/kong v0.2.16/go.mod h1:kQOmtJgV+Lb4aj+I2LEn40cbtawdWJ9Y8QLq+lElKxE= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc= github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE= +github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= +github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= +github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= +github.com/alexflint/go-filemutex v1.1.0/go.mod h1:7P4iRhttt/nUvUOrYIhcpMzv2G6CY9UnI16Z+UJqRyk= +github.com/alexflint/go-filemutex v1.2.0/go.mod h1:mYyQSWvw9Tx2/H2n9qXPb52tTYfE0pZAWcBq5mK025c= +github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= +github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/antchfx/htmlquery v1.2.4 h1:qLteofCMe/KGovBI6SQgmou2QNyedFUW+pE+BpeZ494= github.com/antchfx/htmlquery v1.2.4/go.mod h1:2xO6iu3EVWs7R2JYqBbp8YzG50gj/ofqs5/0VZoDZLc= github.com/antchfx/xpath v1.2.0 h1:mbwv7co+x0RwgeGAOHdrKy89GvHaGvxxBtPK0uF9Zr8= github.com/antchfx/xpath v1.2.0/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= +github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= +github.com/apache/arrow/go/v10 v10.0.1/go.mod h1:YvhnlEePVnBS4+0z3fhPfUy7W1Ikj0Ih0vcRo/gZ1M0= +github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4xei5aX110hRiI= +github.com/apache/arrow/go/v12 v12.0.0/go.mod h1:d+tV/eHZZ7Dz7RPrFKtPK02tpr+c9/PEd/zm8mDS9Vg= +github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU= github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= -github.com/apparentlymart/go-dump v0.0.0-20190214190832-042adf3cf4a0 h1:MzVXffFUye+ZcSR6opIgz9Co7WcDx6ZcY+RjfFHoA0I= github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= -github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= +github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= +github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-metrics v0.3.9/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= +github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA= +github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= +github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= +github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= +github.com/aws/aws-sdk-go v1.34.0/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= +github.com/aws/aws-sdk-go v1.43.9/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go v1.50.13 h1:yeXram2g7q8uKkQkAEeZyk9FmPzxI4UpGwAZGZtEGmM= +github.com/aws/aws-sdk-go v1.50.13/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA= +github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= +github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= +github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= +github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= +github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= +github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8= +github.com/bufbuild/protocompile v0.6.0 h1:Uu7WiSQ6Yj9DbkdnOe7U4mNKp58y9WDMKDn28/ZlunY= +github.com/bufbuild/protocompile v0.6.0/go.mod h1:YNP35qEYoYGme7QMtz5SBCoN4kL4g12jTtjuzRNdjpE= +github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= -github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3eG1c= +github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= +github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50= +github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= +github.com/bytecodealliance/wasmtime-go v0.36.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI= +github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= +github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= +github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= +github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= +github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= +github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= +github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= +github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= +github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= +github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= +github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= +github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= +github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg= +github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc= +github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs= +github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= +github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= +github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= +github.com/cilium/ebpf v0.9.1/go.mod h1:+OhNOIXx/Fnu1IE8bJz2dzOA+VSfyTfdNUVdlQnxUFY= +github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= +github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= +github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20230310173818-32f1caf87195/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20230428030218-4003588d1b74/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101 h1:7To3pQ+pZo0i3dsWEbinPNFs5gPSBOsJtx3wTT94VBY= +github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= +github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= +github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= +github.com/container-orchestrated-devices/container-device-interface v0.5.4/go.mod h1:DjE95rfPiiSmG7uVXtg0z6MnPm/Lx4wxKCIts0ZE0vg= +github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE= +github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU= +github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= +github.com/containerd/aufs v1.0.0/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= +github.com/containerd/btrfs v0.0.0-20201111183144-404b9149801e/go.mod h1:jg2QkJcsabfHugurUvvPhS3E08Oxiuh5W/g1ybB4e0E= +github.com/containerd/btrfs v0.0.0-20210316141732-918d888fb676/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss= +github.com/containerd/btrfs v1.0.0/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss= +github.com/containerd/btrfs/v2 v2.0.0/go.mod h1:swkD/7j9HApWpzl8OHfrHNxppPd9l44DFZdF94BUj9k= +github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601/go.mod h1:X9rLEHIqSf/wfK8NsPqxJmeZgW4pcfzdXITDrUSJ6uI= +github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko= +github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM= +github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= +github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= +github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= +github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= +github.com/containerd/cgroups v1.0.3/go.mod h1:/ofk34relqNjSGyqPrmEULrO4Sc8LJhvJmWbUCUKqj8= +github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= +github.com/containerd/cgroups/v3 v3.0.1/go.mod h1:/vtwk1VXrtoa5AaZLkypuOJgA/6DyPMZHJPGQNtlHnw= +github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= +github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= +github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= +github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw= +github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= +github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= +github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.4.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ= +github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU= +github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= +github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= +github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= +github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c= +github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s= +github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0NpumIq9ODB0kLtoE= +github.com/containerd/containerd v1.6.6/go.mod h1:ZoP1geJldzCVY3Tonoz7b1IXk8rIX0Nltt5QE4OMNk0= +github.com/containerd/containerd v1.6.8/go.mod h1:By6p5KqPK0/7/CgO/A6t/Gz+CUYUu2zf1hUaaymVXB0= +github.com/containerd/containerd v1.6.9/go.mod h1:XVicUvkxOrftE2Q1YWUXgZwkkAxwQYNOFzYWvfVfEfQ= +github.com/containerd/containerd v1.7.0/go.mod h1:QfR7Efgb/6X2BDpTPJRvPTYDE9rsF0FsXX9J8sIs/sc= +github.com/containerd/containerd v1.7.12 h1:+KQsnv4VnzyxWcfO9mlxxELaoztsDEjOuCMPAuPqgU0= +github.com/containerd/containerd v1.7.12/go.mod h1:/5OMpE1p0ylxtEUGY8kuCYkDRzJm9NO1TFMWjUpdevk= +github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= +github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= +github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= +github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo= +github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y= +github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ= +github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM= +github.com/containerd/continuity v0.2.2/go.mod h1:pWygW9u7LtS1o4N/Tn0FoCFDIXZ7rxcMX7HX1Dmibvk= +github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg= +github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM= +github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= +github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI= +github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0= +github.com/containerd/fifo v0.0.0-20201026212402-0724c46b320c/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0= +github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= +github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= +github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o= +github.com/containerd/go-cni v1.0.1/go.mod h1:+vUpYxKvAF72G9i1WoDOiPGRtQpqsNW/ZHtSlv++smU= +github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk= +github.com/containerd/go-cni v1.1.0/go.mod h1:Rflh2EJ/++BA2/vY5ao3K6WJRR/bZKsX123aPk+kUtA= +github.com/containerd/go-cni v1.1.3/go.mod h1:Rflh2EJ/++BA2/vY5ao3K6WJRR/bZKsX123aPk+kUtA= +github.com/containerd/go-cni v1.1.6/go.mod h1:BWtoWl5ghVymxu6MBjg79W9NZrCRyHIdUtk4cauMe34= +github.com/containerd/go-cni v1.1.9/go.mod h1:XYrZJ1d5W6E2VOvjffL3IZq0Dz6bsVlERHbekNK90PM= +github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= +github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= +github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g= +github.com/containerd/go-runc v0.0.0-20201020171139-16b287bc67d0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok= +github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok= +github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak9TYCG3juvb0= +github.com/containerd/imgcrypt v1.0.4-0.20210301171431-0ae5c75f59ba/go.mod h1:6TNsg0ctmizkrOgXRNQjAPFWpMYRWuiB6dSF4Pfa5SA= +github.com/containerd/imgcrypt v1.1.1-0.20210312161619-7ed62a527887/go.mod h1:5AZJNI6sLHJljKuI9IHnw1pWqo/F0nGDOuR9zgTs7ow= +github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJrXQb0Dpc4ms= +github.com/containerd/imgcrypt v1.1.3/go.mod h1:/TPA1GIDXMzbj01yd8pIbQiLdQxed5ue1wb8bP7PQu4= +github.com/containerd/imgcrypt v1.1.4/go.mod h1:LorQnPtzL/T0IyCeftcsMEO7AqxUDbdO8j/tSUpgxvo= +github.com/containerd/imgcrypt v1.1.7/go.mod h1:FD8gqIcX5aTotCtOmjeCsi3A1dHmTZpnMISGKSczt4k= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c= +github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= +github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= +github.com/containerd/nri v0.3.0/go.mod h1:Zw9q2lP16sdg0zYybemZ9yTDy8g7fPCIB3KXOGlggXI= +github.com/containerd/stargz-snapshotter/estargz v0.4.1/go.mod h1:x7Q9dg9QYb4+ELgxmo4gBUeJB0tl5dqH1Sdz0nJU1QM= +github.com/containerd/stargz-snapshotter/estargz v0.12.1/go.mod h1:12VUuCq3qPq4y8yUW+l5w3+oXV3cx2Po3KSe/SmPGqw= +github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= +github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o= +github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0xBw8r8NOKoOdNMeVHSawSsltak+Ihv+etqsE8= +github.com/containerd/ttrpc v1.0.1/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y= +github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y= +github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ= +github.com/containerd/ttrpc v1.1.1-0.20220420014843-944ef4a40df3/go.mod h1:YYyNVhZrTMiaf51Vj6WhAJqJw+vl/nzABhj8pWrzle4= +github.com/containerd/ttrpc v1.2.1/go.mod h1:sIT6l32Ph/H9cvnJsfXM5drIVzTr5A2flTf1G5tYZak= +github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc= +github.com/containerd/typeurl v0.0.0-20190911142611-5eb25027c9fd/go.mod h1:GeKYzf2pQcqv7tJ0AoCuuhtnqhva5LNU3U+OyKxxJpk= +github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg= +github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s= +github.com/containerd/typeurl/v2 v2.1.0/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0= +github.com/containerd/zfs v0.0.0-20200918131355-0a33824f23a2/go.mod h1:8IgZOBdv8fAgXddBT4dBXJPtxyRsejFIpXoklgxgEjw= +github.com/containerd/zfs v0.0.0-20210301145711-11e8f1707f62/go.mod h1:A9zfAbMlQwE+/is6hi0Xw8ktpL+6glmqZYtevJgaB8Y= +github.com/containerd/zfs v0.0.0-20210315114300-dde8f0fda960/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= +github.com/containerd/zfs v0.0.0-20210324211415-d5c4544f0433/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= +github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= +github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= +github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= +github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= +github.com/containernetworking/cni v1.0.1/go.mod h1:AKuhXbN5EzmD4yTNtfSsX3tPcmtrBI6QcRV0NiNt15Y= +github.com/containernetworking/cni v1.1.1/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw= +github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw= +github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM= +github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= +github.com/containernetworking/plugins v1.0.1/go.mod h1:QHCfGpaTwYTbbH+nZXKVTxNBDZcxSOplJT5ico8/FLE= +github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19sZPp3ry5uHSkI4LPxV8= +github.com/containernetworking/plugins v1.2.0/go.mod h1:/VjX4uHecW5vVimFa1wkG4s+r/s9qIfPdqlLF4TW8c4= +github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc= +github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4= +github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= +github.com/containers/ocicrypt v1.1.2/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= +github.com/containers/ocicrypt v1.1.3/go.mod h1:xpdkbVAuaH3WzbEabUd5yDsl9SwJA5pABH85425Es2g= +github.com/containers/ocicrypt v1.1.6/go.mod h1:WgjxPWdTJMqYMjf3M6cuIFFA1/MpyyhIM99YInA+Rvc= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= +github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= +github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU= +github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= +github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= +github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20230601102743-20bbbf26f4d8 h1:NrLmX9HDyGvQhyZdrDx89zCvPdxQ/EHCo+xGNrjNmHc= +github.com/coreos/pkg v0.0.0-20230601102743-20bbbf26f4d8/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/crossplane/crossplane-runtime v0.20.0 h1:MlPNrK6ELKLQdeHaIdKxQpZW2LSivSYXxHKVfU32auU= -github.com/crossplane/crossplane-runtime v0.20.0/go.mod h1:FuKIC8Mg8hE2gIAMyf2wCPkxkFPz+VnMQiYWBq1/p5A= -github.com/crossplane/crossplane-tools v0.0.0-20230714144037-2684f4bc7638 h1:NPbGG7jLyM+LbSMFQXilM70EOxbxk4z2CFvdSRtxc1s= -github.com/crossplane/crossplane-tools v0.0.0-20230714144037-2684f4bc7638/go.mod h1:+e4OaFlOcmr0JvINHl/yvEYBrZawzTgj6pQumOH1SS0= -github.com/dave/jennifer v1.4.1 h1:XyqG6cn5RQsTj3qlWQTKlRGAyrTcsk1kUmWdZBzRjDw= -github.com/dave/jennifer v1.4.1/go.mod h1:7jEdnm+qBcxl8PC0zyp7vxcpSRnzXSt9r39tpTVGlwA= +github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= +github.com/crossplane/crossplane-runtime v1.16.0 h1:lz+l0wEB3qowdTmN7t0PZkfuNSvfOoEhQrEYFbYqMow= +github.com/crossplane/crossplane-runtime v1.16.0/go.mod h1:Pz2tdGVMF6KDGzHZOkvKro0nKc8EzK0sb/nSA7pH4Dc= +github.com/crossplane/crossplane-tools v0.0.0-20240522174801-1ad3d4c87f21 h1:8wb7/zCbVPkeX68WbVESWJmSWQE5SZKzz0g9X4FlXRw= +github.com/crossplane/crossplane-tools v0.0.0-20240522174801-1ad3d4c87f21/go.mod h1:cN0Y7PFGQMM8mcagXVCbeQoKtipmFWQTPZYyziCPBUI= +github.com/crossplane/upjet v1.4.1-0.20240911184956-3afbb7796d46 h1:2IH1YPTBrNmBj0Z1OCjEBTrQCuRaLutZbWLaswFeCFQ= +github.com/crossplane/upjet v1.4.1-0.20240911184956-3afbb7796d46/go.mod h1:wkdZf/Cvhr6PI30VdHIOjg4dX39Z5uijqnLWFk5PbGM= +github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= +github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ= +github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s= +github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8= +github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I= +github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg= +github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0= +github.com/dave/jennifer v1.7.0 h1:uRbSBH9UTS64yXbh4FrMHfgfY762RD+C7bUPKODpSJE= +github.com/dave/jennifer v1.7.0/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE= +github.com/denisenkom/go-mssqldb v0.12.3 h1:pBSGx9Tq67pBOTLmxNuirNTeB8Vjmf886Kx+8Y+8shw= +github.com/denisenkom/go-mssqldb v0.12.3/go.mod h1:k0mtMFOnU+AihqFxPMiF05rtiDrorD1Vrm1KEz5hxDo= +github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0= +github.com/dgraph-io/badger/v3 v3.2103.2/go.mod h1:RHo4/GmYcKKh5Lxu63wLEMHJ70Pac2JqZRYGhlyAo2M= +github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug= +github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= +github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/distribution/distribution/v3 v3.0.0-20220526142353-ffbd94cbe269/go.mod h1:28YO/VJk9/64+sTGNuYaBjWxrXTPrj0C0XmgTIOjxX4= +github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= +github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko= +github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v20.10.20+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1xfI36MSkFg= +github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= +github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.17+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.9+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v25.0.6+incompatible h1:5cPwbwriIcsua2REJe8HqQV+6WlWc1byg2QSXzBxBGg= +github.com/docker/docker v25.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= +github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= +github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= +github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= +github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI= +github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE= -github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= +github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= +github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= +github.com/envoyproxy/go-control-plane v0.10.3/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34= +github.com/envoyproxy/go-control-plane v0.11.0/go.mod h1:VnHyVMpzcLvCFt9yUz1UnCwHLhwx1WguiVDV7pTG/tI= +github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f/go.mod h1:sfYdkwUW4BA3PbKjySwjJy+O4Pu0h62rlqCMHNk+K+Q= +github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= -github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= +github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo= +github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w= +github.com/envoyproxy/protoc-gen-validate v0.10.0/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss= +github.com/envoyproxy/protoc-gen-validate v0.10.1/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss= +github.com/envoyproxy/protoc-gen-validate v1.0.1/go.mod h1:0vj8bNkYbSTNS2PIyH87KZaeN4x9zpL9Qt8fQC7d+vs= +github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA= +github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= +github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= +github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= +github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= +github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8= github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= -github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= -github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= -github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= +github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= +github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= +github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= +github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= +github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= +github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= +github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= +github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= +github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= +github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY= +github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= +github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-asn1-ber/asn1-ber v1.5.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= +github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g= +github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks= +github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY= +github.com/go-fonts/liberation v0.2.0/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY= +github.com/go-fonts/stix v0.1.0/go.mod h1:w/c1f0ldAUlJmLBvlbkvVXLAD+tAMqobIIQpmnUIzUY= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= +github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU= +github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow= +github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4= +github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= -github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= +github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= +github.com/go-ini/ini v1.66.6/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= +github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= +github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= +github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U= +github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= +github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= +github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U= +github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk= +github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q= +github.com/go-ldap/ldap/v3 v3.4.1/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg= +github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI= +github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= +github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= +github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= -github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= +github.com/go-logr/logr v1.2.1/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.0/go.mod h1:YkVgnZu1ZjjL7xTxrfm/LLZBfkhTqSR1ydtm6jTKKwI= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= +github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= +github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI= +github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= -github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= +github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= +github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA= github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= +github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= +github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= +github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= +github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4= +github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU= +github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA= +github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= +github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A= +github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI= +github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= +github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ= +github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -152,6 +1854,7 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -170,14 +1873,25 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= github.com/google/addlicense v0.0.0-20210428195630-6d92264d7170/go.mod h1:EMjYTRimagHs1FwlIqKyX3wAM0u3rA+McvlIIWmSamA= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0= -github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= +github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/cel-go v0.12.6/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw= +github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -186,17 +1900,28 @@ github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0= +github.com/google/go-containerregistry v0.13.0/go.mod h1:J9FQ+eSS4a1aC2GNZxvNpbWhgp0487v+cgiilB4FqDo= +github.com/google/go-pkcs11 v0.2.0/go.mod h1:6eQoGcuNJpa7jnd5pMGdkSaQpNDYvPlXWMcjXXThLlY= +github.com/google/go-pkcs11 v0.2.1-0.20230907215043-c6f79328ddf9/go.mod h1:6eQoGcuNJpa7jnd5pMGdkSaQpNDYvPlXWMcjXXThLlY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -207,179 +1932,851 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8 h1:n6vlPhxsA+BW/XsS5+uqi7GyzaLa5MH7qlSLBZtRdiA= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20240117000934-35fc243c5815 h1:WzfWbQz/Ze8v6l++GGbGNFZnUShVpP/0xffCPLL+ax8= +github.com/google/pprof v0.0.0-20240117000934-35fc243c5815/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM= +github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= +github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= +github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= +github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= +github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.2.4/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w= +github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= +github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= +github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= +github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= +github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= +github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= +github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= +github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= +github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8= +github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI= +github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI= +github.com/googleapis/gax-go/v2 v2.10.0/go.mod h1:4UOEnMCrxsSqQ940WnTiD6qJ63le2ev3xfyagutxiPw= +github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI= +github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= +github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= +github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= +github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= +github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= +github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= +github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI= +github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gosimple/slug v1.13.1 h1:bQ+kpX9Qa6tHRaK+fZR0A0M2Kd7Pa5eHPPsb1JpHD+Q= +github.com/gosimple/slug v1.13.1/go.mod h1:UiRaFH+GEilHstLUmcBgWcI42viBN7mAb818JrYOeFQ= +github.com/gosimple/unidecode v1.0.1 h1:hZzFTMMqSswvf0LBJZCZgThIZrpDHFXux9KeGmn6T/o= +github.com/gosimple/unidecode v1.0.1/go.mod h1:CP0Cr1Y1kogOtx0bJblKzsVWrqYaqfNOnHzpgWw4Awc= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/haarchri/upjet v0.9.0-rc.0.0.20230801-af46bef5eab5fc8482e02f29e56f5373d02cb4c7 h1:ea6dDCwkpE0eUKdpAhcK8as1pMXJFGsCOcK5E8rb1BQ= -github.com/haarchri/upjet v0.9.0-rc.0.0.20230801-af46bef5eab5fc8482e02f29e56f5373d02cb4c7/go.mod h1:2RXHgpIugCL/S/Use1QJAeVaev901RBeUByQh5gUtGk= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/hashicorp/cap v0.6.0 h1:uOSdbtXu8zsbRyjwpiTy6QiuX3+5paAbNkYlop7QexM= +github.com/hashicorp/cap v0.6.0/go.mod h1:DwzHkoG6pxSARiqwvAgxmCPUpTTCCw2wVuPrIFOzpe0= +github.com/hashicorp/cap/ldap v0.0.0-20240328153749-fcfe271d0227 h1:R5CMNyBNZqODw2DcGaSa2X96AgtLotXsH7aOa07zTTI= +github.com/hashicorp/cap/ldap v0.0.0-20240328153749-fcfe271d0227/go.mod h1:Ofp5fMLl1ImcwjNGu9FtEwNOdxA0LYoWpcWQE2vltuI= +github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/api v1.27.0 h1:gmJ6DPKQog1426xsdmgk5iqDyoRiNc+ipBdJOqKQFjc= +github.com/hashicorp/consul/api v1.27.0/go.mod h1:JkekNRSou9lANFdt+4IKx3Za7XY0JzzpQjEb4Ivo1c8= +github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU= +github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuDrwkBuEQsVcpCOgg= +github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 h1:1/D3zfFHttUKaCaGKZ/dR2roBXv0vKbSCnssIldfQdI= -github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320/go.mod h1:EiZBMaudVLy8fmjf9Npq1dq9RalhveqZG5w/yz3mHWs= +github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637 h1:Ud/6/AdmJ1R7ibdS0Wo5MWPj0T1R0fkpaD087bBaW8I= +github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637/go.mod h1:EiZBMaudVLy8fmjf9Npq1dq9RalhveqZG5w/yz3mHWs= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v1.2.1 h1:YQsLlGDJgwhXFpucSPyVbCBviQtjlHv3jLTlp8YmtEw= -github.com/hashicorp/go-hclog v1.2.1/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v1.6.2/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= +github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= +github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g= +github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0/go.mod h1:xvb32K2keAc+R8DSFG2IwDcydK9DBQE+fGA5fsw6hSk= +github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1 h1:KIge4FHZEDb2/xjaWgmBheCTgRL6HV4sgTfDsH876L8= +github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1/go.mod h1:aHO1EoFD0kBYLBedqxXgalfFT8lrWfP7kpuSoaqGjH0= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.8/go.mod h1:qTCjxGig/kjuj3hk1z8pOUrzbse/GxB1tGfbrq8tGJg= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.16 h1:WZeXfD26QMWYC35at25KgE021SF9L3u9UMHK8fJAdV0= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.16/go.mod h1:ZiKZctjRTLEppuRwrttWkp71VYMbTTCkazK4xT7U/NQ= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ= +github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= +github.com/hashicorp/go-plugin v1.5.1/go.mod h1:w1sAEES3g3PuV/RzUrgow20W2uErMly84hhD3um1WL4= +github.com/hashicorp/go-plugin v1.5.2/go.mod h1:w1sAEES3g3PuV/RzUrgow20W2uErMly84hhD3um1WL4= +github.com/hashicorp/go-plugin v1.6.0 h1:wgd4KxHJTVGGqWBq4QPB1i5BZNEx9BR8+OFmHDmTk8A= +github.com/hashicorp/go-plugin v1.6.0/go.mod h1:lBS5MtSSBZk0SHc66KACcjjlU6WzEVP/8pwz68aMkCI= +github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= +github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= +github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= +github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 h1:I8bynUKMh9I7JdwtW9voJ0xmHvBpxQtLjrMFDYmhOxY= +github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0/go.mod h1:oKHSQs4ivIfZ3fbXGQOop1XuDfdSb8RIsWTGaAanSfg= +github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= +github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng= +github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= +github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= +github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= +github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 h1:kH3Rhiht36xhAfhuHyWJDgdXXEx9IIZhDGRk24CDhzg= +github.com/hashicorp/go-secure-stdlib/mlock v0.1.3/go.mod h1:ov1Q0oEDjC3+A4BwsG2YdKltrmEw8sf9Pau4V9JQ4Vo= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 h1:iBt4Ew4XEGLfh6/bPk4rSYmuZJGizr6/x/AEizP0CQc= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8/go.mod h1:aiJI+PIApBRQG7FZTEBx5GiiX+HbOHilUdNxUZi4eV0= +github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= +github.com/hashicorp/go-secure-stdlib/plugincontainer v0.2.2/go.mod h1:7xQt0+IfRmzYBLpFx+4MYfLpBdd1PT1VatGKRswf7xE= +github.com/hashicorp/go-secure-stdlib/plugincontainer v0.3.0 h1:KMWpBsC65ZBXDpoxJ0n2/zVfZaZIW73k2d8cy5Dv/Kk= +github.com/hashicorp/go-secure-stdlib/plugincontainer v0.3.0/go.mod h1:qKYwSZ2EOpppko5ud+Sh9TrUgiTAZSaQCr8XWIYXsbM= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= -github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= +github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs= +github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs= +github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.3 h1:xbrxd0U9XQW8qL1BAz2XrAjAF/P2vcqUTAues9c24B8= +github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.3/go.mod h1:LWq2Sy8UoKKuK4lFuCNWSjJj57MhNNf2zzBWMtkAIX4= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/go-sockaddr v1.0.6 h1:RSG8rKU28VTUTvEKghe5gIhIQpv8evvNpnDEyqO4u9I= +github.com/hashicorp/go-sockaddr v1.0.6/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-version v1.5.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= +github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hc-install v0.6.3 h1:yE/r1yJvWbtrJ0STwScgEnCanb0U9v7zp0Gbkmcoxqs= +github.com/hashicorp/hc-install v0.6.3/go.mod h1:KamGdbodYzlufbWh4r9NRo8y6GLHWZP2GBtdnms1Ln0= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= +github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= github.com/hashicorp/hcl/v2 v2.9.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg= -github.com/hashicorp/hcl/v2 v2.14.1 h1:x0BpjfZ+CYdbiz+8yZTQ+gdLO7IXvOut7Da+XJayx34= -github.com/hashicorp/hcl/v2 v2.14.1/go.mod h1:e4z5nxYlWNPdDSNYX+ph14EvWYMFm3eP0zIUqPc2jr0= +github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5RPI= +github.com/hashicorp/hcl/v2 v2.19.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE= github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= -github.com/hashicorp/terraform-json v0.14.0 h1:sh9iZ1Y8IFJLx+xQiKHGud6/TSUCM0N8e17dKDpqV7s= -github.com/hashicorp/terraform-json v0.14.0/go.mod h1:5A9HIWPkk4e5aeeXIBbkcOvaZbIYnAIkEyqP2pNSckM= -github.com/hashicorp/terraform-plugin-go v0.14.0 h1:ttnSlS8bz3ZPYbMb84DpcPhY4F5DsQtcAS7cHo8uvP4= -github.com/hashicorp/terraform-plugin-go v0.14.0/go.mod h1:2nNCBeRLaenyQEi78xrGrs9hMbulveqG/zDMQSvVJTE= -github.com/hashicorp/terraform-plugin-log v0.7.0 h1:SDxJUyT8TwN4l5b5/VkiTIaQgY6R+Y2BQ0sRZftGKQs= -github.com/hashicorp/terraform-plugin-log v0.7.0/go.mod h1:p4R1jWBXRTvL4odmEkFfDdhUjHf9zcs/BCoNHAc7IK4= -github.com/hashicorp/terraform-plugin-sdk/v2 v2.24.0 h1:FtCLTiTcykdsURXPt/ku7fYXm3y19nbzbZcUxHx9RbI= -github.com/hashicorp/terraform-plugin-sdk/v2 v2.24.0/go.mod h1:80wf5oad1tW+oLnbXS4UTYmDCrl7BuN1Q+IA91X1a4Y= -github.com/hashicorp/vault/api v1.9.2 h1:YjkZLJ7K3inKgMZ0wzCU9OHqc+UqMQyXsPXnf3Cl2as= -github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/hashicorp/serf v0.10.1 h1:Z1H2J60yRKvfDYAOZLd2MU0ND4AH/WDz7xYHDWQsIPY= +github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4= +github.com/hashicorp/terraform-exec v0.20.0 h1:DIZnPsqzPGuUnq6cH8jWcPunBfY+C+M8JyYF3vpnuEo= +github.com/hashicorp/terraform-exec v0.20.0/go.mod h1:ckKGkJWbsNqFKV1itgMnE0hY9IYf1HoiekpuN0eWoDw= +github.com/hashicorp/terraform-json v0.22.1 h1:xft84GZR0QzjPVWs4lRUwvTcPnegqlyS7orfb5Ltvec= +github.com/hashicorp/terraform-json v0.22.1/go.mod h1:JbWSQCLFSXFFhg42T7l9iJwdGXBYV8fmmD6o/ML4p3A= +github.com/hashicorp/terraform-plugin-framework v1.4.1 h1:ZC29MoB3Nbov6axHdgPbMz7799pT5H8kIrM8YAsaVrs= +github.com/hashicorp/terraform-plugin-framework v1.4.1/go.mod h1:XC0hPcQbBvlbxwmjxuV/8sn8SbZRg4XwGMs22f+kqV0= +github.com/hashicorp/terraform-plugin-go v0.22.0 h1:1OS1Jk5mO0f5hrziWJGXXIxBrMe2j/B8E+DVGw43Xmc= +github.com/hashicorp/terraform-plugin-go v0.22.0/go.mod h1:mPULV91VKss7sik6KFEcEu7HuTogMLLO/EvWCuFkRVE= +github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9TFvymaRGZED3FCV0= +github.com/hashicorp/terraform-plugin-log v0.9.0/go.mod h1:rKL8egZQ/eXSyDqzLUuwUYLVdlYeamldAHSxjUFADow= +github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0 h1:qHprzXy/As0rxedphECBEQAh3R4yp6pKksKHcqZx5G8= +github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0/go.mod h1:H+8tjs9TjV2w57QFVSMBQacf8k/E1XwLXGCARgViC6A= +github.com/hashicorp/terraform-provider-vault v1.9.1-0.20241010163921-0318b6b4523e h1:r57UtE5ZpGHT7kaFmpHGfID7Um+qRyTzTBf/X0gBGKE= +github.com/hashicorp/terraform-provider-vault v1.9.1-0.20241010163921-0318b6b4523e/go.mod h1:OaDITYJLxs4hivabieLyRkxHWeRJ79d0KBbW55kz5+0= +github.com/hashicorp/terraform-registry-address v0.2.3 h1:2TAiKJ1A3MAkZlH1YI/aTVcLZRu7JseiXNRHbOAyoTI= +github.com/hashicorp/terraform-registry-address v0.2.3/go.mod h1:lFHA76T8jfQteVfT7caREqguFrW3c4MFSPhZB7HHgUM= +github.com/hashicorp/terraform-svchost v0.1.1 h1:EZZimZ1GxdqFRinZ1tpJwVxxt49xc/S52uzrw4x0jKQ= +github.com/hashicorp/terraform-svchost v0.1.1/go.mod h1:mNsjQfZyf/Jhz35v6/0LWcv26+X7JPS+buii2c9/ctc= +github.com/hashicorp/vault-plugin-auth-jwt v0.20.3 h1:mLsdorH4m43rBqybHDZKl33rrmc80ens4hSB6E7i9o0= +github.com/hashicorp/vault-plugin-auth-jwt v0.20.3/go.mod h1:1IQjNAZ2z8GdTPM/XizC6eA4X9brnOXiwSoYEOfuDlM= +github.com/hashicorp/vault-plugin-auth-kerberos v0.11.0 h1:XjdH8nqosqgKeAwBptMS7DoXsdi8IKL2fbBSyvL/HRM= +github.com/hashicorp/vault-plugin-auth-kerberos v0.11.0/go.mod h1:xupzh9O6Us6bqKLZ6wfRsjqlf1Mb1TRylKpxZPJd5rA= +github.com/hashicorp/vault-plugin-auth-oci v0.15.1 h1:frikend6vdC09I60qmFkRwBVgXLlBz2qe1869bC5J5s= +github.com/hashicorp/vault-plugin-auth-oci v0.15.1/go.mod h1:i3KYRLQFpAIJuvbXHBMgXzw0563Sp/2mMpAFU5F6Z9I= +github.com/hashicorp/vault/api v1.4.1/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM= +github.com/hashicorp/vault/api v1.9.1/go.mod h1:78kktNcQYbBGSrOjQfHjXN32OhhxXnbYl3zxpd2uPUs= +github.com/hashicorp/vault/api v1.11.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck= +github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU= +github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk= +github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= +github.com/hashicorp/vault/sdk v0.10.2/go.mod h1:VxJIQgftEX7FCDM3i6TTLjrZszAeLhqPicNbCVNRg4I= +github.com/hashicorp/vault/sdk v0.13.0 h1:UmcLF+7r70gy1igU44Suflgio30P2GOL4MkHPhJuiP8= +github.com/hashicorp/vault/sdk v0.13.0/go.mod h1:LxhNTWRG99mXg9xijBCnCnIus+brLC5uFsQUQ4zgOnU= +github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= +github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= +github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/iancoleman/strcase v0.2.0 h1:05I4QRnGpI0m37iZQRuskXh+w77mr6Z41lwQzuHLwW0= github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/intel/goresctrl v0.2.0/go.mod h1:+CZdzouYFn5EsxgqAQTEzMfwKwuc0fVdMrT9FCCAVRQ= +github.com/intel/goresctrl v0.3.0/go.mod h1:fdz3mD85cmP9sHD8JUlrNWAxvwM86CrbmVXltEKd7zk= +github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA= +github.com/j-keck/arping v1.0.2/go.mod h1:aJbELhR92bSk7tp79AWM/ftfc90EfEi2bQJrbBFOsPw= +github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo= +github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= +github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= +github.com/jackc/pgconn v0.0.0-20190420214824-7e0022ef6ba3/go.mod h1:jkELnwuX+w9qN5YIfX0fl88Ehu4XC3keFuOJJk9pcnA= +github.com/jackc/pgconn v0.0.0-20190824142844-760dd75542eb/go.mod h1:lLjNuW/+OfW9/pnVKPazfWOgNfH2aPem8YQ7ilXGvJE= +github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsUgOEh9hBm+xYTstcNHg7UPMVJqRfQxq4s= +github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfGIB/o= +github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY= +github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI= +github.com/jackc/pgconn v1.14.0/go.mod h1:9mBNlny0UvkgJdCDvdVHYSjI+8tD2rnKK69Wz8ti++E= +github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8= +github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE= +github.com/jackc/pgmock v0.0.0-20201204152224-4fe30f7445fd/go.mod h1:hrBW0Enj2AZTNpt/7Y5rr2xe/9Mn757Wtb2xeBzPv2c= +github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak= +github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= +github.com/jackc/pgproto3 v1.1.0/go.mod h1:eR5FA3leWg7p9aeAqi37XOTgTIbkABlvcPB3E5rlc78= +github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA= +github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod h1:uH0AWtUmuShn0bcesswc4aBTWGvw0cAxIJp+6OB//Wg= +github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM= +github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM= +github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA= +github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA= +github.com/jackc/pgproto3/v2 v2.3.2/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA= +github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E= +github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg= +github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc= +github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw= +github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM= +github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4= +github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y= +github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM= +github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc= +github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs= +github.com/jackc/pgx/v4 v4.18.1/go.mod h1:FydWkUyadDmdNH/mHnGob881GawxeEm7TcMCzkb+qQE= +github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= +github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= +github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= +github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= +github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= +github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= +github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= +github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= +github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg= +github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo= +github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= +github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= +github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8= +github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= +github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= +github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jhump/gopoet v0.0.0-20190322174617-17282ff210b3/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= +github.com/jhump/gopoet v0.1.0/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= +github.com/jhump/goprotoc v0.5.0/go.mod h1:VrbvcYrQOrTi3i0Vf+m+oqQWk9l72mjkJCYo7UvLHRQ= +github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= +github.com/jhump/protoreflect v1.11.0/go.mod h1:U7aMIjN0NWq9swDP7xDdoMfRHb35uiuTd3Z9nFXJf5E= +github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c= +github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo= +github.com/jimlambrt/gldap v0.1.13 h1:jxmVQn0lfmFbM9jglueoau5LLF/IGRti0SKf0vB753M= +github.com/jimlambrt/gldap v0.1.13/go.mod h1:nlC30c7xVphjImg6etk7vg7ZewHCCvl1dfAhO3ZJzPg= +github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 h1:hgVxRoDDPtQE68PT4LFvNlPz2nBKd3OMlGKIQ69OmR4= +github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531/go.mod h1:fqTUQpVYBvhCNIsMXGl2GE9q6z94DIP6NtFKXCSTVbg= +github.com/joshlf/testutil v0.0.0-20170608050642-b5d8aa79d93d h1:J8tJzRyiddAFF65YVgxli+TyWBi0f79Sld6rJP6CBcY= +github.com/joshlf/testutil v0.0.0-20170608050642-b5d8aa79d93d/go.mod h1:b+Q3v8Yrg5o15d71PSUraUzYb+jWl6wQMSBXSGS/hv0= +github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= +github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= +github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= +github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= +github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE= +github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= +github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= +github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= +github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4= +github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= +github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= +github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y= +github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ= +github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= +github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc= +github.com/lestrrat-go/jwx v1.2.25/go.mod h1:zoNuZymNl5lgdcu6P7K6ie2QRll5HVfF4xwxBBK1NxY= +github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= +github.com/lib/pq v0.0.0-20180327071824-d34b9ff171c2/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo= +github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= +github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= +github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o= +github.com/lyft/protoc-gen-star/v2 v2.0.3/go.mod h1:amey7yeodaJhXSbf/TlLvWiqQfLOSpEk//mLlc+axEk= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= +github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= +github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= +github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= +github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/microsoft/go-mssqldb v1.5.0/go.mod h1:lmWsjHD8XX/Txr0f8ZqgbEZSC+BZjmEQy/Ms+rLrvho= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= +github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= +github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY= +github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE= +github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM= +github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc= github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= +github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A= +github.com/mitchellh/pointerstructure v1.2.1 h1:ZhBBeX8tSlRpu/FFhXH4RC4OJzFlqsQhoHZAz4x7TIw= +github.com/mitchellh/pointerstructure v1.2.1/go.mod h1:BRAsLI5zgXmw97Lf6s25bs8ohIXc3tViBH44KcwB2g4= +github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs= +github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= +github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo= +github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= +github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= +github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= +github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= +github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= +github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= +github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo= +github.com/moby/sys/signal v0.6.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg= +github.com/moby/sys/signal v0.7.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg= +github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ= +github.com/moby/sys/symlink v0.2.0/go.mod h1:7uZVF2dqJjG/NsClqul95CqKOBRQyYSNnJ6BMgR/gFs= +github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= +github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= +github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo= +github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc= +github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= +github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw= +github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= +github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8= +github.com/montanaflynn/stats v0.7.0/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= +github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc= +github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/muvaf/typewriter v0.0.0-20220131201631-921e94e8e8d7 h1:CxRHKnh1YJXgNKxcos9rrKL6AcmOl1AS/fygmxFDzh4= github.com/muvaf/typewriter v0.0.0-20220131201631-921e94e8e8d7/go.mod h1:SAAdeMEiFXR8LcHffvIdiLI1w243DCH2DuHq7UrA5YQ= -github.com/nsf/jsondiff v0.0.0-20200515183724-f29ed568f4ce h1:RPclfga2SEJmgMmz2k+Mg7cowZ8yv4Trqw9UsJby758= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/natefinch/atomic v1.0.1 h1:ZPYKxkqQOx3KZ+RsbnP/YsgvxWQPGxjC0oBt2AhwV0A= +github.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM= +github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= +github.com/networkplumbing/go-nft v0.2.0/go.mod h1:HnnM+tYvlGAsMU7yoYwXEVLLiDW9gdMmb5HoGcwpuQs= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= +github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA= +github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= +github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.13.0/go.mod h1:+REjRxOmWfHCjfv9TTWB1jD1Frx4XydAD3zm1lskyM0= +github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= +github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= -github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= +github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU= +github.com/onsi/ginkgo/v2 v2.1.6/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk= +github.com/onsi/ginkgo/v2 v2.3.0/go.mod h1:Eew0uilEqZmIEZr8JrvYlvOM7Rr6xzTmMV8AyFNU9d0= +github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= +github.com/onsi/ginkgo/v2 v2.5.0/go.mod h1:Luc4sArBICYCS8THh8v3i3i5CuSZO+RaQRaJoeNwomw= +github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= +github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= +github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= +github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= +github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0= +github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= +github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= +github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo= +github.com/onsi/gomega v1.21.1/go.mod h1:iYAIXgPSaDHak0LCMA+AWBpIKBr8WZicMxnE8luStNc= +github.com/onsi/gomega v1.22.1/go.mod h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ1tuM= +github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= +github.com/onsi/gomega v1.24.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= +github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM= +github.com/onsi/gomega v1.24.2/go.mod h1:gs3J10IS7Z7r7eXRoNJIrNqU4ToQukCJhFtKrWgHWnk= +github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= +github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/open-policy-agent/opa v0.42.2/go.mod h1:MrmoTi/BsKWT58kXlVayBb+rYVeaMwuBm3nYAN3923s= +github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= +github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= +github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= +github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0= +github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= +github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= +github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= +github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= +github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= +github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA= +github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= +github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.1.0-rc.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= +github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= +github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI= +github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE= +github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo= +github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= +github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= +github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= +github.com/opencontainers/selinux v1.10.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= +github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= +github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/oracle/oci-go-sdk/v59 v59.0.0 h1:+zTvWfj9ZK0OwLRyXjUkZ8dPN3WvkQSRd3iooaOxNVs= +github.com/oracle/oci-go-sdk/v59 v59.0.0/go.mod h1:PWyWRn+xkQxwwmLq/oO03X3tN1tk2vEIE2tFaJmldHM= +github.com/ory/dockertest/v3 v3.10.0 h1:4K3z2VMe8Woe++invjaTB7VRyQXQy5UY+loujO4aNE4= +github.com/ory/dockertest/v3 v3.10.0/go.mod h1:nr57ZbRWMqfsdGdFNLHz5jjNdDb7VVFnzAeW1n5N1Lg= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY= +github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc= +github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= +github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc= +github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 h1:q2e307iGHPdTGp0hoxKjt1H5pDo6utceo3dQVK3I5XQ= +github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5/go.mod h1:jvVRKCrJTQWu0XVbaOlby/2lO20uSCHEMzzplHXte1o= +github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= +github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY= +github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI= +github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI= +github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM= +github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= +github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= +github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI= -github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI= +github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= +github.com/prometheus/client_golang v0.0.0-20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= +github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= +github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= +github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= +github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= +github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= +github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= +github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= +github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= +github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= +github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= +github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= -github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= -github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= -github.com/prometheus/procfs v0.10.0 h1:UkG7GPYkO4UZyLnyXjaWYcgOSONqwdBqFUT95ugmt6I= -github.com/prometheus/procfs v0.10.0/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= +github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= +github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= +github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= +github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= +github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= +github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= +github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= +github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= +github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= +github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= +github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= +github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= +github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= +github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= +github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= +github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= +github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= +github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= +github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w= +github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4= +github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= +github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= +github.com/safchain/ethtool v0.2.0/go.mod h1:WkKB1DnNtvsMlDmQ50sgwowDJV/hGbJSOvJoEXs1AJQ= +github.com/sasha-s/go-deadlock v0.2.0 h1:lMqc+fUb7RrFS3gQLtoQsJ7/6TV/pAIFvBsqX73DK8Y= +github.com/sasha-s/go-deadlock v0.2.0/go.mod h1:StQn567HiB1fF2yJ44N9au7wOhrPS3iZqiDbRupzT10= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= +github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= +github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= +github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= +github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= +github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ= +github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= +github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= +github.com/sony/gobreaker v0.5.0 h1:dRCvqm0P490vZPmy7ppEk2qCnCieBooFJ+YoXGYB+yg= +github.com/sony/gobreaker v0.5.0/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= -github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM= -github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= +github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= +github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= +github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= +github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= +github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= +github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= +github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= +github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= +github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= +github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -389,74 +2786,314 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I= +github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmccombs/hcl2json v0.3.3 h1:+DLNYqpWE0CsOQiEZu+OZm5ZBImake3wtITYxQ8uLFQ= github.com/tmccombs/hcl2json v0.3.3/go.mod h1:Y2chtz2x9bAeRTvSibVRVgbLJhLJXKlUeIvjeVdnm4w= +github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= +github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c/go.mod h1:hzIxponao9Kjc7aWznkXaL4U4TWaDSs8zcsY4Ka08nM= +github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= +github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI= +github.com/vektah/gqlparser/v2 v2.4.5/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0= +github.com/veraison/go-cose v1.0.0-rc.1/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= +github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= +github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= +github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= +github.com/vishvananda/netlink v1.1.1-0.20210330154013-f5de75959ad5/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= +github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= +github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= +github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= +github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= +github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI= github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= -github.com/vmihailenco/msgpack/v4 v4.3.12 h1:07s4sz9IReOgdikxLTKNbBdqDMLsjPKXwvCazn8G65U= github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= -github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY= +github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8= +github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= +github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= +github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds= +github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= +github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= +github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= +github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc= +github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13 h1:fVcFKWvrslecOb/tg+Cc05dkeYx540o0FuFt3nUVDoE= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= +github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= +github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= github.com/zclconf/go-cty v1.8.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= -github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= -github.com/zclconf/go-cty v1.11.0 h1:726SxLdi2SDnjY+BStqB9J1hNp4+2WlzyXLuimibIe0= -github.com/zclconf/go-cty v1.11.0/go.mod h1:s9IfD1LK5ccNMSWCVFCE2rJfHiZgi7JijgeWIMfhLvA= +github.com/zclconf/go-cty v1.14.4 h1:uXXczd9QDGsgu0i/QFR/hzI5NYCHLf6NQw/atrbnhq8= +github.com/zclconf/go-cty v1.14.4/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8= +github.com/zclconf/go-cty-yaml v1.0.3 h1:og/eOQ7lvA/WWhHGFETVWNduJM7Rjsv2RRpx1sdFMLc= +github.com/zclconf/go-cty-yaml v1.0.3/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs= +github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= +github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= +github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= +go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= +go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= +go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg= +go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= +go.etcd.io/etcd/api/v3 v3.5.5/go.mod h1:KFtNaxGDw4Yx/BA4iPPwevUTAuqcsPxzyX8PHydchN8= +go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= +go.etcd.io/etcd/client/pkg/v3 v3.5.5/go.mod h1:ggrwbk069qxpKPq8/FKkQ3Xq9y39kbFR4LnKszpRXeQ= +go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= +go.etcd.io/etcd/client/v2 v2.305.5/go.mod h1:zQjKllfqfBVyVStbt4FaosoX2iYd8fV/GRy/PbowgP4= +go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0= +go.etcd.io/etcd/client/v3 v3.5.5/go.mod h1:aApjR4WGlSumpnJ2kloS75h6aHUmAyaPLjHMxpc7E7c= +go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE= +go.etcd.io/etcd/pkg/v3 v3.5.5/go.mod h1:6ksYFxttiUGzC2uxyqiyOEvhAiD0tuIqSZkX3TyPdaE= +go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc= +go.etcd.io/etcd/raft/v3 v3.5.5/go.mod h1:76TA48q03g1y1VpTue92jZLr9lIHKUNcYdZOOGyx8rI= +go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4= +go.etcd.io/etcd/server/v3 v3.5.5/go.mod h1:rZ95vDw/jrvsbj9XpTqPrTAB9/kzchVdhRirySPkUBc= +go.etcd.io/gofail v0.1.0/go.mod h1:VZBCXYGZhHAinaBiiqYvuDynvahNsAyLFwB3kEHKz1M= +go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.25.0/go.mod h1:E5NNboN0UqSAki0Atn9kVwaN7I+l25gGxDqBueo/74E= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0/go.mod h1:vEhqr0m4eTc+DWxfsXoXue2GBgV2uUwVznkGIHW/e5w= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0/go.mod h1:UMklln0+MRhZC4e3PwmN3pCtq4DyIadWw4yikh6bNrw= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 h1:UNQQKPfTDe1J81ViolILjTKPr9WetKW6uei2hFgJmFs= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0/go.mod h1:r9vWsPS/3AQItv3OSlEJ/E4mbrhUbbw18meOjArPtKQ= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:2AboqHi0CiIZU0qwhtUfCYD1GeUzvvIXWNkhDt7ZMG4= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.32.0/go.mod h1:5eCOqeGphOyz6TsY3ZDNjE33SM/TFAK3RGuCL2naTgY= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.0/go.mod h1:9NiG9I2aHTKkcxqCILhjtyNA1QEiCjdBACv4IvrFQ+c= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 h1:sv9kVfal0MK0wBMCOGr+HeJm9v803BkJxGrk2au7j08= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw= +go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= +go.opentelemetry.io/otel v1.0.1/go.mod h1:OPEOD4jIT2SlZPMmwT6FqZz2C0ZNdQqiWcoK6M0SNFU= +go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs= +go.opentelemetry.io/otel v1.7.0/go.mod h1:5BdUoMIz5WEs0vt0CUEMtSSaTSHBBVwrhnz7+nrD5xk= +go.opentelemetry.io/otel v1.8.0/go.mod h1:2pkj+iMj0o03Y+cW6/m8Y4WkRdYN3AvCXCnzRMp9yvM= +go.opentelemetry.io/otel v1.10.0/go.mod h1:NbvWjCthWHKBEUMpf0/v8ZRZlni86PpGFEMA9pnQSnQ= +go.opentelemetry.io/otel v1.14.0/go.mod h1:o4buv+dJzx8rohcUeRmWUZhqupFvzWis188WlggnNeU= +go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo= +go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= +go.opentelemetry.io/otel/exporters/otlp v0.20.0 h1:PTNgq9MRmQqqJY0REVbZFvwkYOA85vbdQU/nVfxDyqg= +go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.3.0/go.mod h1:VpP4/RMn8bv8gNo9uK7/IMY4mtWLELsS+JIP0inH0h4= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.7.0/go.mod h1:M1hVZHNxcbkAlcvrOMlpQ4YOO3Awf+4N2dxkZL3xm04= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0/go.mod h1:78XhIg8Ht9vR4tbLNUhXsiOnE2HOuSeKAiAcoVQEpOY= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0/go.mod h1:UFG7EBMRdXyFstOwH028U0sVf+AvukSGhF0g8+dmNG8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.0.1/go.mod h1:Kv8liBeVNFkkkbilbgWRpV+wWuu+H5xdOT6HAgd30iw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.3.0/go.mod h1:hO1KLR7jcKaDDKDkvI9dP/FIhpmna5lkqPUQdEjFAM8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.7.0/go.mod h1:ceUgdyfNv4h4gLxHR0WNfDiiVmZFodZhZSbOLhpxqXE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0/go.mod h1:Krqnjl22jUJ0HgMzw5eveuCvFDXY4nSYb4F8t5gdrag= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0/go.mod h1:HrbCVv40OOLTABmOn1ZWty6CHXkU8DK/Urc43tHug70= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.0.1/go.mod h1:xOvWoTOrQjxjW61xtOmD/WKGRYb/P4NzRo3bs65U6Rk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.3.0/go.mod h1:keUU7UfnwWTWpJ+FWnyqmogPa82nuU5VUANFq49hlMY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.7.0/go.mod h1:E+/KKhwOSw8yoPxSSuUHG6vKppkvhN+S1Jc7Nib3k3o= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0/go.mod h1:OfUCyyIiDvNXHWpcWgbF+MWvqPZiNa3YDEnivcnYsV0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0/go.mod h1:5w41DY6S9gZrbjuq6Y+753e96WfPha5IcsOSZTtullM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.3.0/go.mod h1:QNX1aly8ehqqX1LEa6YniTU7VY9I6R3X/oPxhGdTceE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0/go.mod h1:+N7zNjIJv4K+DeX67XXET0P+eIciESgaFDBqh+ZJFS4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0 h1:FyjCyI9jVEfqhUh2MoSkmolPjfh5fp2hnV0b0irxH4Q= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0/go.mod h1:hYwym2nDEeZfG/motx0p7L7J1N1vyzIThemQsb4g2qY= +go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= +go.opentelemetry.io/otel/metric v0.30.0/go.mod h1:/ShZ7+TS4dHzDFmfi1kSXMhMVubNoP0oIaBp70J6UXU= +go.opentelemetry.io/otel/metric v0.31.0/go.mod h1:ohmwj9KTSIeBnDBm/ZwH2PSZxZzoOaG2xZeekTRzL5A= +go.opentelemetry.io/otel/metric v0.37.0/go.mod h1:DmdaHfGt54iV6UKxsV9slj2bBRJcKC1B1uvDLIioc1s= +go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI= +go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco= +go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= +go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= +go.opentelemetry.io/otel/sdk v1.0.1/go.mod h1:HrdXne+BiwsOHYYkBE5ysIcv2bvdZstxzmCQhxTcZkI= +go.opentelemetry.io/otel/sdk v1.3.0/go.mod h1:rIo4suHNhQwBIPg9axF8V9CA72Wz2mKF1teNrup8yzs= +go.opentelemetry.io/otel/sdk v1.7.0/go.mod h1:uTEOTwaqIVuTGiJN7ii13Ibp75wJmYUDe374q6cZwUU= +go.opentelemetry.io/otel/sdk v1.10.0/go.mod h1:vO06iKzD5baltJz1zarxMCNHFpUlUiOy4s65ECtn6kE= +go.opentelemetry.io/otel/sdk v1.14.0/go.mod h1:bwIC5TjrNG6QDCHNWvW4HLHtUQ4I+VQDsnjhvyZCALM= +go.opentelemetry.io/otel/sdk v1.22.0 h1:6coWHw9xw7EfClIC/+O31R8IY3/+EiRFHevmHafB2Gw= +go.opentelemetry.io/otel/sdk v1.22.0/go.mod h1:iu7luyVGYovrRpe2fmj3CVKouQNdTOkxtLzPvPz1DOc= +go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE= +go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= +go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= +go.opentelemetry.io/otel/trace v1.0.1/go.mod h1:5g4i4fKLaX2BQpSBsxw8YYcgKpMMSW3x7ZTuYBr3sUk= +go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKunbvWM4/fEjk= +go.opentelemetry.io/otel/trace v1.7.0/go.mod h1:fzLSB9nqR2eXzxPXb2JW9IKE+ScyXA48yyE4TNvoHqU= +go.opentelemetry.io/otel/trace v1.8.0/go.mod h1:0Bt3PXY8w+3pheS3hQUt+wow8b1ojPaTBoTCh2zIFI4= +go.opentelemetry.io/otel/trace v1.10.0/go.mod h1:Sij3YYczqAdz+EhmGhE6TpTxUO5/F/AzrK+kxfGqySM= +go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8= +go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI= +go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.opentelemetry.io/proto/otlp v0.9.0/go.mod h1:1vKfU9rv61e9EVGthD1zNvUbiwPcimSsOPU9brfSHJg= +go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ= +go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= +go.opentelemetry.io/proto/otlp v0.16.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= +go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= +go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= +go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= -go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= -go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/automaxprocs v1.5.1/go.mod h1:BF4eumQw0P9GtnuxxovUd06vwm1o18oMzFtK66vU6XU= +go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= +go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= +go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= +go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= +go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= +go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= +go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= -golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= +golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= +golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= +golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191002040644-a1355ae1e2c3/go.mod h1:NOZ3BPKG0ec/BKJQgnvsSFpcKLM5xXVWnvZS97DWHgE= golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= +golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ= +golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc= +golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/image v0.0.0-20190910094157-69e4b8554b2a/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/image v0.0.0-20200119044424-58c23975cae1/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/image v0.0.0-20200430140353-33d19683fad8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/image v0.0.0-20200618115811-c13761719519/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/image v0.0.0-20201208152932-35266b937fa6/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/image v0.0.0-20210216034530-4410531fe030/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/image v0.0.0-20210607152325-775e3b0c77b9/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM= +golang.org/x/image v0.0.0-20210628002857-a66eb6448b8d/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM= +golang.org/x/image v0.0.0-20211028202545-6944b10bf410/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM= +golang.org/x/image v0.0.0-20220302094943-723b81ca9867/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -468,6 +3105,7 @@ golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRu golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= @@ -479,21 +3117,45 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= -golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= +golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190619014844-b5b0513f8c1b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -505,20 +3167,62 @@ golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= +golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -528,8 +3232,34 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= +golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= +golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A= +golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec= +golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= +golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= +golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= +golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= +golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= +golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM= +golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI= +golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -541,26 +3271,70 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= +golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190522044717-8097e1b27ff5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190812073006-9eafafc0a87e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -568,30 +3342,131 @@ golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200817155316-9781c653f443/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200922070232-aee5d888a860/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201117170446-d9b008d0a637/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201202213521-69691e467435/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210304124612-50617c2ba197/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210903071746-97244b99971b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220405210540-1e041c57c461/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= +golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= +golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= +golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= +golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= +golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -601,28 +3476,66 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190927191325-030b2cf1153e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -630,6 +3543,7 @@ golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= @@ -642,31 +3556,66 @@ golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjs golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201124115921-2c860bdd6e78/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8= -golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8= +golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= +golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= +golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= +golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= +golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= +golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc= -gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo= +gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0= +gonum.org/v1/gonum v0.9.3/go.mod h1:TZumC3NeyVQskjXqmyWt4S3bINhy7B4eYwW69EbyX+0= +gonum.org/v1/gonum v0.11.0/go.mod h1:fSG4YDCxxUZQJ7rKsQrj0gMOg00Il0Z96/qMA4bVQhA= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc= +gonum.org/v1/plot v0.9.0/go.mod h1:3Pcqqmp6RHvJI72kgb8fThyUnav364FOsdDo2aGW5lY= +gonum.org/v1/plot v0.10.1/go.mod h1:VZW5OlhkL1mysU9vaqNHnsy86inf6Ot+jB3r+BczCEo= +google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= @@ -686,19 +3635,72 @@ google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz513 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= +google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= +google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= +google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= +google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= +google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= +google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= +google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= +google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= +google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= +google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= +google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= +google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= +google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= +google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= +google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= +google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= +google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= +google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= +google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g= +google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= +google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= +google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI= +google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.99.0/go.mod h1:1YOf74vkVndF7pG6hIHuINsM7eWwpVTAfNMNiL91A08= +google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= +google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo= +google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0= +google.golang.org/api v0.106.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY= +google.golang.org/api v0.107.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY= +google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY= +google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= +google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= +google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= +google.golang.org/api v0.118.0/go.mod h1:76TtD3vkgmZ66zZzp72bUUklpmQmKlhh6sYtIjYK+5E= +google.golang.org/api v0.122.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms= +google.golang.org/api v0.124.0/go.mod h1:xu2HQurE5gi/3t1aFCvhPD781p0a3p11sdunTJ2BlP4= +google.golang.org/api v0.125.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= +google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= +google.golang.org/api v0.128.0/go.mod h1:Y611qgqaE92On/7g65MQgxYul3c0rEB894kniWLY750= +google.golang.org/api v0.134.0/go.mod h1:sjRL3UnjTx5UqNQS9EWr9N8p7xbHpy1k0XGRLCf3Spk= +google.golang.org/api v0.139.0/go.mod h1:CVagp6Eekz9CjGZ718Z+sloknzkDJE7Vc1Ckj9+viBk= +google.golang.org/api v0.149.0/go.mod h1:Mwn1B7JTXrzXtnvmzQE2BD6bYZQ8DShKZDZbeN9I7qI= +google.golang.org/api v0.163.0 h1:4BBDpPaSH+H28NhnX+WwjXxbRLQ7TWuEKp4BQyEjxvk= +google.golang.org/api v0.163.0/go.mod h1:6SulDkfoBIg4NFmCuZ39XeeAgSHCPecfSUuDyYlAHs0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= +google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk= +google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190522204451-c2c4e71fbf69/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= @@ -707,6 +3709,7 @@ google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvx google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= @@ -715,29 +3718,195 @@ google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200527145253-8367513e4ece/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= +google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= +google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= +google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E= +google.golang.org/genproto v0.0.0-20220329172620-7be39ac1afc7/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE= +google.golang.org/genproto v0.0.0-20220801145646-83ce21fca29f/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc= +google.golang.org/genproto v0.0.0-20220815135757-37a418bb8959/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220817144833-d7fd3f11b9b1/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220829144015-23454907ede3/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220829175752-36a9c930ecbf/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220913154956-18f8339a66a5/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220915135415-7fd63a7952de/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220916172020-2692e8806bfa/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220919141832-68c03719ef51/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar2npT/g4vkk7O0WYS1sHOHbdujxbEp7CJWbw= +google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= +google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= +google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U= +google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= +google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= +google.golang.org/genproto v0.0.0-20221024153911-1573dae28c9c/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= +google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= +google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo= +google.golang.org/genproto v0.0.0-20221109142239-94d6d90a7d66/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= +google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= +google.golang.org/genproto v0.0.0-20221117204609-8f9c96812029/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= +google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= +google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= +google.golang.org/genproto v0.0.0-20221201204527-e3fa12d562f3/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= +google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd/go.mod h1:cTsE614GARnxrLsqKREzmNYJACSWWpAWdNMwnD7c2BE= +google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230112194545-e10362b5ecf9/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230113154510-dbe35b8444a5/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230123190316-2c411cf9d197/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230124163310-31e0e69b6fc2/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230127162408-596548ed4efa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230216225411-c8e22ba71e44/go.mod h1:8B0gmkoRebU8ukX6HP+4wrVQUY1+6PkQ44BSyIlflHA= +google.golang.org/genproto v0.0.0-20230222225845-10f96fb3dbec/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw= +google.golang.org/genproto v0.0.0-20230223222841-637eb2293923/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw= +google.golang.org/genproto v0.0.0-20230303212802-e74f57abe488/go.mod h1:TvhZT5f700eVlTNwND1xoEZQeWTB2RY/65kplwl/bFA= +google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s= +google.golang.org/genproto v0.0.0-20230320184635-7606e756e683/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s= +google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= +google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= +google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= +google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= +google.golang.org/genproto v0.0.0-20230525234025-438c736192d0/go.mod h1:9ExIQyXL5hZrHzQceCwuSYwZZ5QZBazOcprJ5rgs3lY= +google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk= +google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk= +google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64= +google.golang.org/genproto v0.0.0-20230629202037-9506855d4529/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64= +google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y= +google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0= +google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:0ggbjUrZYpy1q+ANUS30SEoGZ53cdfwtbuG7Ptgy108= +google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5/go.mod h1:oH/ZOT02u4kWEp7oYBGYFFkCdKS/uYR9Z7+0/xuuFp8= +google.golang.org/genproto v0.0.0-20230821184602-ccc8af3d0e93/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= +google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= +google.golang.org/genproto v0.0.0-20230913181813-007df8e322eb/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= +google.golang.org/genproto v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:CCviP9RmpZ1mxVr8MUjCnSiY09IbAXZxhLE6EhHIdPU= +google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97/go.mod h1:t1VqOqqvce95G3hIDCT5FeO3YUc6Q4Oe24L/+rNMxRk= +google.golang.org/genproto v0.0.0-20231012201019-e917dd12ba7a/go.mod h1:EMfReVxb80Dq1hhioy0sOsY9jCE46YDgHlJ7fWVUWRE= +google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI= +google.golang.org/genproto v0.0.0-20231030173426-d783a09b4405/go.mod h1:3WDQMjmJk36UQhjQ89emUzb1mdaHcPeeAh4SCBKznB4= +google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY= +google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe h1:USL2DhxfgRchafRvt/wYyyQNzwgL7ZiURcozOE/Pkvo= +google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro= +google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a/go.mod h1:ts19tUU+Z0ZShN1y3aPyq2+O3d5FUNNgT6FtOzmrNn8= +google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/api v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/api v0.0.0-20230629202037-9506855d4529/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ= +google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= +google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= +google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5/go.mod h1:5DZzOUPCLYL3mNkQ0ms0F3EuUNZ7py1Bqeq6sxzI7/Q= +google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= +google.golang.org/genproto/googleapis/api v0.0.0-20230913181813-007df8e322eb/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= +google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:RdyHbowztCGQySiCvQPgWQWgWhGnouTdCflKoDBt32U= +google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97/go.mod h1:iargEX0SFPm3xcfMI0d1domjg0ZF4Aa0p2awqyxhvF0= +google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a/go.mod h1:SUBoKXbI1Efip18FClrQVGjWcyd0QZd8KkvdP34t7ww= +google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870= +google.golang.org/genproto/googleapis/api v0.0.0-20231030173426-d783a09b4405/go.mod h1:oT32Z4o8Zv2xPQTg0pbVaPr0MPOH6f14RgXt7zfIpwg= +google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4= +google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe h1:0poefMBYvYbs7g5UkjS6HcxBPaTRAmznle9jnxYoAI8= +google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:4jWUdICTdgc3Ibxmr8nAJiiLHwQBY0UI0XZcEMaFKaA= +google.golang.org/genproto/googleapis/bytestream v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:ylj+BE99M198VPbBh6A8d9n3w8fChvyLK3wwBOjXBFA= +google.golang.org/genproto/googleapis/bytestream v0.0.0-20230720185612-659f7aaaa771/go.mod h1:3QoBVwTHkXbY1oRGzlhwhOykfcATQN43LJ6iT8Wy8kE= +google.golang.org/genproto/googleapis/bytestream v0.0.0-20230807174057-1744710a1577/go.mod h1:NjCQG/D8JandXxM57PZbAJL1DCNL6EypA0vPPwfsc7c= +google.golang.org/genproto/googleapis/bytestream v0.0.0-20231030173426-d783a09b4405/go.mod h1:GRUCuLdzVqZte8+Dl/D4N25yLzcGqqWaYkeVOwulFqw= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234015-3fc162c6f38a/go.mod h1:xURIpW9ES5+/GZhnV6beoEtxQrnkRGIfP5VQG2tCBLc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:8mL13HKkDa+IuJ8yruA3ci0q+0vsUz4m//+ottjwS5o= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230731190214-cbb8c96f2d6d/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5/go.mod h1:zBEcrKX2ZOcEkHWxBPAIvYUWOKKMIhYcmNiUIu2ji3I= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230920183334-c177e329c48b/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:KSqppvjFjtoCI+KGd4PELB0qLNxdJHRGqRI09mB6pQA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97/go.mod h1:v7nGkzlmW8P3n/bKmWBn2WpBjpOEx8Q6gMueudAmKfY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231012201019-e917dd12ba7a/go.mod h1:4cYg8o5yUbm77w8ZX00LhMVNl/YVBFJRYWDc0uYWMs0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405/go.mod h1:67X1fPuzjcrkymZzZV1vvkFeTn2Rvc6lYF9MYFGCcwE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:oQ5rr10WTTMvP4A36n8JpR1OrO1BEiV4f78CneXZxkA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe h1:bQnxqljG/wqi4NTXu2+DJ3n7APcEA882QZ1JvhQAq9o= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s= +google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= +google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= @@ -752,9 +3921,42 @@ google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= +google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI= +google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= +google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= +google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= +google.golang.org/grpc v1.52.0/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= +google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= +google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw= +google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= +google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= +google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= +google.golang.org/grpc v1.58.2/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= +google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= +google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= +google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY= +google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -768,28 +3970,67 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.28.2-0.20230222093303-bc1253ad3743/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= +gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/jcmturner/goidentity.v3 v3.0.0 h1:1duIyWiTaYvVx3YX2CYtpJbUFd7/UuPYCfgXtQ3VTbI= +gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= +gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +gotest.tools/v3 v3.3.0/go.mod h1:Mcr9QNxkg0uMvy/YElmo4SpXgJKWgQvYrT7Kw5RzJ1A= +gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY= +gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -797,32 +4038,162 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.27.3 h1:yR6oQXXnUEBWEWcvPWS0jQL575KoAboQPfJAuKNrw5Y= -k8s.io/api v0.27.3/go.mod h1:C4BNvZnQOF7JA/0Xed2S+aUyJSfTGkGFxLXz9MnpIpg= -k8s.io/apiextensions-apiserver v0.27.3 h1:xAwC1iYabi+TDfpRhxh4Eapl14Hs2OftM2DN5MpgKX4= -k8s.io/apiextensions-apiserver v0.27.3/go.mod h1:BH3wJ5NsB9XE1w+R6SSVpKmYNyIiyIz9xAmBl8Mb+84= -k8s.io/apimachinery v0.27.3 h1:Ubye8oBufD04l9QnNtW05idcOe9Z3GQN8+7PqmuVcUM= -k8s.io/apimachinery v0.27.3/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= -k8s.io/client-go v0.27.3 h1:7dnEGHZEJld3lYwxvLl7WoehK6lAq7GvgjxpA3nv1E8= -k8s.io/client-go v0.27.3/go.mod h1:2MBEKuTo6V1lbKy3z1euEGnhPfGZLKTS9tiJ2xodM48= -k8s.io/component-base v0.27.3 h1:g078YmdcdTfrCE4fFobt7qmVXwS8J/3cI1XxRi/2+6k= -k8s.io/component-base v0.27.3/go.mod h1:JNiKYcGImpQ44iwSYs6dysxzR9SxIIgQalk4HaCNVUY= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230525220651-2546d827e515 h1:OmK1d0WrkD3IPfkskvroRykOulHVHf0s0ZIFRjyt+UI= -k8s.io/kube-openapi v0.0.0-20230525220651-2546d827e515/go.mod h1:kzo02I3kQ4BTtEfVLaPbjvCkX97YqGve33wzlb3fofQ= -k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU= -k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= +k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= +k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ= +k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= +k8s.io/api v0.22.5/go.mod h1:mEhXyLaSD1qTOf40rRiKXkc+2iCem09rWLlFwhCEiAs= +k8s.io/api v0.26.2/go.mod h1:1kjMQsFE+QHPfskEcVNgL3+Hp88B80uj0QtSOlj8itU= +k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw= +k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ= +k8s.io/apiextensions-apiserver v0.29.1 h1:S9xOtyk9M3Sk1tIpQMu9wXHm5O2MX6Y1kIpPMimZBZw= +k8s.io/apiextensions-apiserver v0.29.1/go.mod h1:zZECpujY5yTW58co8V2EQR4BD6A9pktVgHhvc0uLfeU= +k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= +k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= +k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= +k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= +k8s.io/apimachinery v0.22.5/go.mod h1:xziclGKwuuJ2RM5/rSFQSYAj0zdbci3DH8kj+WvyN0U= +k8s.io/apimachinery v0.25.0/go.mod h1:qMx9eAk0sZQGsXGu86fab8tZdffHbwUfsvzqKn4mfB0= +k8s.io/apimachinery v0.26.2/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= +k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc= +k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= +k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= +k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= +k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= +k8s.io/apiserver v0.22.5/go.mod h1:s2WbtgZAkTKt679sYtSudEQrTGWUSQAPe6MupLnlmaQ= +k8s.io/apiserver v0.26.2/go.mod h1:GHcozwXgXsPuOJ28EnQ/jXEM9QeG6HT22YxSNmpYNh8= +k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= +k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= +k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= +k8s.io/client-go v0.22.5/go.mod h1:cs6yf/61q2T1SdQL5Rdcjg9J1ElXSwbjSrW2vFImM4Y= +k8s.io/client-go v0.26.2/go.mod h1:u5EjOuSyBa09yqqyY7m3abZeovO/7D/WehVVlZ2qcqU= +k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A= +k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks= +k8s.io/code-generator v0.19.7/go.mod h1:lwEq3YnLYb/7uVXLorOJfxg+cUu2oihFhHZ0n9NIla0= +k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= +k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI= +k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM= +k8s.io/component-base v0.22.5/go.mod h1:VK3I+TjuF9eaa+Ln67dKxhGar5ynVbwnGrUiNF4MqCI= +k8s.io/component-base v0.26.2/go.mod h1:DxbuIe9M3IZPRxPIzhch2m1eT7uFrSBJUBuVCQEBivs= +k8s.io/component-base v0.29.1 h1:MUimqJPCRnnHsskTTjKD+IC1EHBbRCVyi37IoFBrkYw= +k8s.io/component-base v0.29.1/go.mod h1:fP9GFjxYrLERq1GcWWZAE3bqbNcDKDytn2srWuHTtKc= +k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= +k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= +k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= +k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc= +k8s.io/cri-api v0.23.1/go.mod h1:REJE3PSU0h/LOV1APBrupxrEJqnoxZC8KWzkBUHwrK4= +k8s.io/cri-api v0.25.0/go.mod h1:J1rAyQkSJ2Q6I+aBMOVgg2/cbbebso6FNa0UagiR0kc= +k8s.io/cri-api v0.25.3/go.mod h1:riC/P0yOGUf2K1735wW+CXs1aY2ctBgePtnnoFLd0dU= +k8s.io/cri-api v0.26.2/go.mod h1:Oo8O7MKFPNDxfDf2LmrF/3Hf30q1C6iliGuv3la3tIA= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= +k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kms v0.26.2/go.mod h1:69qGnf1NsFOQP07fBYqNLZklqEHSJF024JqYCaeVxHg= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= +k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= +k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= +k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= +k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= +k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= +k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= +lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= +modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI= +modernc.org/cc/v3 v3.36.2/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI= +modernc.org/cc/v3 v3.36.3/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI= +modernc.org/cc/v3 v3.37.0/go.mod h1:vtL+3mdHx/wcj3iEGz84rQa8vEqR6XM84v5Lcvfph20= +modernc.org/cc/v3 v3.40.0/go.mod h1:/bTg4dnWkSXowUO6ssQKnOV0yMVxDYNIsIrzqTFDGH0= +modernc.org/ccgo/v3 v3.0.0-20220428102840-41399a37e894/go.mod h1:eI31LL8EwEBKPpNpA4bU1/i+sKOwOrQy8D87zWUcRZc= +modernc.org/ccgo/v3 v3.0.0-20220430103911-bc99d88307be/go.mod h1:bwdAnOoaIt8Ax9YdWGjxWsdkPcZyRPHqrOvJxaKAKGw= +modernc.org/ccgo/v3 v3.0.0-20220904174949-82d86e1b6d56/go.mod h1:YSXjPL62P2AMSxBphRHPn7IkzhVHqkvOnRKAKh+W6ZI= +modernc.org/ccgo/v3 v3.16.4/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ= +modernc.org/ccgo/v3 v3.16.6/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ= +modernc.org/ccgo/v3 v3.16.8/go.mod h1:zNjwkizS+fIFDrDjIAgBSCLkWbJuHF+ar3QRn+Z9aws= +modernc.org/ccgo/v3 v3.16.9/go.mod h1:zNMzC9A9xeNUepy6KuZBbugn3c0Mc9TeiJO4lgvkJDo= +modernc.org/ccgo/v3 v3.16.13-0.20221017192402-261537637ce8/go.mod h1:fUB3Vn0nVPReA+7IG7yZDfjv1TMWjhQP8gCxrFAtL5g= +modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY= +modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ= +modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM= +modernc.org/libc v0.0.0-20220428101251-2d5f3daf273b/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA= +modernc.org/libc v1.16.0/go.mod h1:N4LD6DBE9cf+Dzf9buBlzVJndKr/iJHG97vGLHYnb5A= +modernc.org/libc v1.16.1/go.mod h1:JjJE0eu4yeK7tab2n4S1w8tlWd9MxXLRzheaRnAKymU= +modernc.org/libc v1.16.17/go.mod h1:hYIV5VZczAmGZAnG15Vdngn5HSF5cSkbvfz2B7GRuVU= +modernc.org/libc v1.16.19/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA= +modernc.org/libc v1.17.0/go.mod h1:XsgLldpP4aWlPlsjqKRdHPqCxCjISdHfM/yeWC5GyW0= +modernc.org/libc v1.17.1/go.mod h1:FZ23b+8LjxZs7XtFMbSzL/EhPxNbfZbErxEHc7cbD9s= +modernc.org/libc v1.17.4/go.mod h1:WNg2ZH56rDEwdropAJeZPQkXmDwh+JCA1s/htl6r2fA= +modernc.org/libc v1.18.0/go.mod h1:vj6zehR5bfc98ipowQOM2nIDUZnVew/wNC/2tOGS+q0= +modernc.org/libc v1.20.3/go.mod h1:ZRfIaEkgrYgZDl6pa4W39HgN5G/yDW+NRmNKZBDFrk0= +modernc.org/libc v1.21.4/go.mod h1:przBsL5RDOZajTVslkugzLBj1evTue36jEomFQOoYuI= +modernc.org/libc v1.22.2/go.mod h1:uvQavJ1pZ0hIoC/jfqNoMLURIMhKzINIWypNM17puug= +modernc.org/mathutil v1.2.2/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E= +modernc.org/mathutil v1.4.1/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E= +modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E= +modernc.org/memory v1.1.1/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw= +modernc.org/memory v1.2.0/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw= +modernc.org/memory v1.2.1/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU= +modernc.org/memory v1.3.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU= +modernc.org/memory v1.4.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU= +modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU= +modernc.org/opt v0.1.1/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0= +modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0= +modernc.org/sqlite v1.18.1/go.mod h1:6ho+Gow7oX5V+OiOQ6Tr4xeqbx13UZ6t+Fw9IRUG4d4= +modernc.org/sqlite v1.18.2/go.mod h1:kvrTLEWgxUcHa2GfHBQtanR1H9ht3hTJNtKpzH9k1u0= +modernc.org/strutil v1.1.1/go.mod h1:DE+MQQ/hjKBZS2zNInV5hhcipt5rLPWkmpbGeW5mmdw= +modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw= +modernc.org/tcl v1.13.1/go.mod h1:XOLfOwzhkljL4itZkK6T72ckMgvj0BDsnKNdZVUOecw= +modernc.org/tcl v1.13.2/go.mod h1:7CLiGIPo1M8Rv1Mitpv5akc2+8fxUd2y2UzC/MfMzy0= +modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= +modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= +modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= +modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8= +oras.land/oras-go v1.2.0/go.mod h1:pFNs7oHp2dYsYMSS82HaX5l4mpnGO7hbpPN6EWH2ltc= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU= -sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= -sigs.k8s.io/controller-tools v0.12.1 h1:GyQqxzH5wksa4n3YDIJdJJOopztR5VDM+7qsyg5yE4U= -sigs.k8s.io/controller-tools v0.12.1/go.mod h1:rXlpTfFHZMpZA8aGq9ejArgZiieHd+fkk/fTatY8A2M= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35/go.mod h1:WxjusMwXlKzfAs4p9km6XJRndVt2FROgMVCE4cdohFo= +sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= +sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= +sigs.k8s.io/controller-tools v0.14.0 h1:rnNoCC5wSXlrNoBKKzL70LNJKIQKEzT6lloG6/LF73A= +sigs.k8s.io/controller-tools v0.14.0/go.mod h1:TV7uOtNNnnR72SpzhStvPkoS/U5ir0nMudrkrC4M9Sc= +sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/hack/prepare.sh b/hack/prepare.sh index 2386fe2f..e9daf98d 100755 --- a/hack/prepare.sh +++ b/hack/prepare.sh @@ -16,7 +16,7 @@ git grep -l "upbound/provider-${PROVIDER_NAME_LOWER}" -- ${REPLACE_FILES} | xarg git grep -l 'Template' -- ${REPLACE_FILES} | xargs sed -i.bak "s/Template/${PROVIDER_NAME_NORMAL}/g" # We need to be careful while replacing "template" keyword in go.mod as it could tamper # some imported packages under require section. -sed -i.bak "s|upbound/upjet-provider-template|${ORGANIZATION_NAME}/provider-${PROVIDER_NAME_LOWER}|g" go.mod +sed -i.bak "s|crossplane/upjet-provider-template|${ORGANIZATION_NAME}/provider-${PROVIDER_NAME_LOWER}|g" go.mod sed -i.bak "s|PROJECT_REPO := github.com/upbound/|PROJECT_REPO := github.com/${ORGANIZATION_NAME}/|g" Makefile # Clean up the .bak files created by sed diff --git a/internal/clients/vault.go b/internal/clients/vault.go index bb50bb2a..5029e982 100644 --- a/internal/clients/vault.go +++ b/internal/clients/vault.go @@ -9,11 +9,13 @@ import ( "encoding/json" "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/upjet/pkg/terraform" "github.com/pkg/errors" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" - "github.com/upbound/upjet/pkg/terraform" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + tfsdk "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/upbound/provider-vault/apis/v1beta1" ) @@ -66,15 +68,9 @@ const ( // TerraformSetupBuilder builds Terraform a terraform.SetupFn function which // returns Terraform provider setup configuration // nolint:gocyclo -func TerraformSetupBuilder(version, providerSource, providerVersion string) terraform.SetupFn { +func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn { return func(ctx context.Context, client client.Client, mg resource.Managed) (terraform.Setup, error) { - ps := terraform.Setup{ - Version: version, - Requirement: terraform.ProviderRequirement{ - Source: providerSource, - Version: providerVersion, - }, - } + ps := terraform.Setup{} configRef := mg.GetProviderConfigReference() if configRef == nil { @@ -140,6 +136,26 @@ func TerraformSetupBuilder(version, providerSource, providerVersion string) terr ps.Configuration[key] = v } } - return ps, nil + return ps, errors.Wrap( + configureNoForkVaultClient(ctx, &ps, *tfProvider), + "failed to configure the no-fork Vault client", + ) + } +} + +func configureNoForkVaultClient(ctx context.Context, ps *terraform.Setup, p schema.Provider) error { + // Please be aware that this implementation relies on the schema.Provider + // parameter `p` being a non-pointer. This is because normally + // the Terraform plugin SDK normally configures the provider + // only once and using a pointer argument here will cause + // race conditions between resources referring to different + // ProviderConfigs. + diag := p.Configure(context.WithoutCancel(ctx), &tfsdk.ResourceConfig{ + Config: ps.Configuration, + }) + if diag != nil && diag.HasError() { + return errors.Errorf("failed to configure the provider: %v", diag) } + ps.Meta = p.Meta() + return nil } diff --git a/internal/controller/ad/secretbackend/zz_controller.go b/internal/controller/ad/secretbackend/zz_controller.go index cc4d0442..40d93c2c 100755 --- a/internal/controller/ad/secretbackend/zz_controller.go +++ b/internal/controller/ad/secretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/ad/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ad_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_ad_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackend{}, o.EventHandler). + Watches(&v1alpha1.SecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/ad/secretrole/zz_controller.go b/internal/controller/ad/secretrole/zz_controller.go index 585e0f3f..eb090b92 100755 --- a/internal/controller/ad/secretrole/zz_controller.go +++ b/internal/controller/ad/secretrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/ad/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ad_secret_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_ad_secret_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretRole{}, o.EventHandler). + Watches(&v1alpha1.SecretRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/alicloud/authbackendrole/zz_controller.go b/internal/controller/alicloud/authbackendrole/zz_controller.go index e49f2ee6..e2a7cefe 100755 --- a/internal/controller/alicloud/authbackendrole/zz_controller.go +++ b/internal/controller/alicloud/authbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/alicloud/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_alicloud_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_alicloud_auth_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/approle/authbackendlogin/zz_controller.go b/internal/controller/approle/authbackendlogin/zz_controller.go index 54bc360c..d6498a70 100755 --- a/internal/controller/approle/authbackendlogin/zz_controller.go +++ b/internal/controller/approle/authbackendlogin/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/approle/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendLogin_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendLogin_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendLogin_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_login"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_login"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendLogin_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendLogin + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendLogin{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendLogin") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendLoginList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendLoginList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendLogin_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendLogin{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendLogin{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/approle/authbackendrole/zz_controller.go b/internal/controller/approle/authbackendrole/zz_controller.go index 9af79804..aa5e2181 100755 --- a/internal/controller/approle/authbackendrole/zz_controller.go +++ b/internal/controller/approle/authbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/approle/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/approle/authbackendrolesecretid/zz_controller.go b/internal/controller/approle/authbackendrolesecretid/zz_controller.go index 87916b71..f69a9709 100755 --- a/internal/controller/approle/authbackendrolesecretid/zz_controller.go +++ b/internal/controller/approle/authbackendrolesecretid/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/approle/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoleSecretID_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRoleSecretID_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoleSecretID_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_role_secret_id"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_approle_auth_backend_role_secret_id"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRoleSecretID_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRoleSecretID + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRoleSecretID{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRoleSecretID") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleSecretIDList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleSecretIDList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoleSecretID_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRoleSecretID{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRoleSecretID{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/audit/requestheader/zz_controller.go b/internal/controller/audit/requestheader/zz_controller.go index c2a0703d..e75f2712 100755 --- a/internal/controller/audit/requestheader/zz_controller.go +++ b/internal/controller/audit/requestheader/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/audit/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.RequestHeader_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.RequestHeader_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.RequestHeader_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_audit_request_header"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_audit_request_header"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.RequestHeader_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.RequestHeader + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.RequestHeader{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.RequestHeader") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.RequestHeaderList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.RequestHeaderList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.RequestHeader_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.RequestHeader{}, o.EventHandler). + Watches(&v1alpha1.RequestHeader{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/auth/backend/zz_controller.go b/internal/controller/auth/backend/zz_controller.go index 42ee3764..6d824522 100755 --- a/internal/controller/auth/backend/zz_controller.go +++ b/internal/controller/auth/backend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/auth/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Backend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Backend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Backend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_auth_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Backend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Backend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Backend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Backend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.BackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.BackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Backend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Backend{}, o.EventHandler). + Watches(&v1alpha1.Backend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/authbackendcert/zz_controller.go b/internal/controller/aws/authbackendcert/zz_controller.go index d4d723f4..bd8617bc 100755 --- a/internal/controller/aws/authbackendcert/zz_controller.go +++ b/internal/controller/aws/authbackendcert/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendCert_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendCert_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendCert_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_cert"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_cert"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendCert_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendCert + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendCert{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendCert") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendCertList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendCertList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendCert_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendCert{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendCert{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/authbackendclient/zz_controller.go b/internal/controller/aws/authbackendclient/zz_controller.go index f457a286..0b63ef10 100755 --- a/internal/controller/aws/authbackendclient/zz_controller.go +++ b/internal/controller/aws/authbackendclient/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendClient_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendClient_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendClient_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_client"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_client"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendClient_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendClient + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendClient{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendClient") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendClientList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendClientList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendClient_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendClient{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendClient{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/authbackendconfigidentity/zz_controller.go b/internal/controller/aws/authbackendconfigidentity/zz_controller.go index c5708002..254c8cd6 100755 --- a/internal/controller/aws/authbackendconfigidentity/zz_controller.go +++ b/internal/controller/aws/authbackendconfigidentity/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfigIdentity_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendConfigIdentity_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfigIdentity_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_config_identity"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_config_identity"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendConfigIdentity_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendConfigIdentity + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendConfigIdentity{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendConfigIdentity") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendConfigIdentityList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendConfigIdentityList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfigIdentity_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendConfigIdentity{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendConfigIdentity{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/authbackendidentitywhitelist/zz_controller.go b/internal/controller/aws/authbackendidentitywhitelist/zz_controller.go index 5f54537a..00f5e215 100755 --- a/internal/controller/aws/authbackendidentitywhitelist/zz_controller.go +++ b/internal/controller/aws/authbackendidentitywhitelist/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendIdentityWhitelist_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendIdentityWhitelist_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendIdentityWhitelist_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_identity_whitelist"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_identity_whitelist"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendIdentityWhitelist_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendIdentityWhitelist + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendIdentityWhitelist{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendIdentityWhitelist") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendIdentityWhitelistList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendIdentityWhitelistList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendIdentityWhitelist_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendIdentityWhitelist{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendIdentityWhitelist{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/authbackendlogin/zz_controller.go b/internal/controller/aws/authbackendlogin/zz_controller.go index 6c95bffd..a648cae9 100755 --- a/internal/controller/aws/authbackendlogin/zz_controller.go +++ b/internal/controller/aws/authbackendlogin/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendLogin_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendLogin_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendLogin_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_login"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_login"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendLogin_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendLogin + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendLogin{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendLogin") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendLoginList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendLoginList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendLogin_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendLogin{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendLogin{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/authbackendrole/zz_controller.go b/internal/controller/aws/authbackendrole/zz_controller.go index dba39748..a6b3c38e 100755 --- a/internal/controller/aws/authbackendrole/zz_controller.go +++ b/internal/controller/aws/authbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/authbackendroletag/zz_controller.go b/internal/controller/aws/authbackendroletag/zz_controller.go index a27d4ff3..b29c6f0f 100755 --- a/internal/controller/aws/authbackendroletag/zz_controller.go +++ b/internal/controller/aws/authbackendroletag/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoleTag_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRoleTag_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoleTag_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_role_tag"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_role_tag"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRoleTag_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRoleTag + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRoleTag{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRoleTag") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleTagList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleTagList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoleTag_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRoleTag{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRoleTag{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/authbackendroletagblacklist/zz_controller.go b/internal/controller/aws/authbackendroletagblacklist/zz_controller.go index fdddeb1b..a9f18ffd 100755 --- a/internal/controller/aws/authbackendroletagblacklist/zz_controller.go +++ b/internal/controller/aws/authbackendroletagblacklist/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoletagBlacklist_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRoletagBlacklist_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoletagBlacklist_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_roletag_blacklist"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_roletag_blacklist"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRoletagBlacklist_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRoletagBlacklist + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRoletagBlacklist{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRoletagBlacklist") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoletagBlacklistList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoletagBlacklistList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRoletagBlacklist_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRoletagBlacklist{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRoletagBlacklist{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/authbackendstsrole/zz_controller.go b/internal/controller/aws/authbackendstsrole/zz_controller.go index abd017b3..238744ab 100755 --- a/internal/controller/aws/authbackendstsrole/zz_controller.go +++ b/internal/controller/aws/authbackendstsrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendStsRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendStsRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendStsRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_sts_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_auth_backend_sts_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendStsRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendStsRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendStsRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendStsRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendStsRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendStsRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendStsRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendStsRole{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendStsRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/secretbackend/zz_controller.go b/internal/controller/aws/secretbackend/zz_controller.go index 2d1ef79c..335331dd 100755 --- a/internal/controller/aws/secretbackend/zz_controller.go +++ b/internal/controller/aws/secretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackend{}, o.EventHandler). + Watches(&v1alpha1.SecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/aws/secretbackendrole/zz_controller.go b/internal/controller/aws/secretbackendrole/zz_controller.go index acf9a855..536f52d2 100755 --- a/internal/controller/aws/secretbackendrole/zz_controller.go +++ b/internal/controller/aws/secretbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/aws/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_aws_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_aws_secret_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/azure/authbackendconfig/zz_controller.go b/internal/controller/azure/authbackendconfig/zz_controller.go index 205a989d..09138413 100755 --- a/internal/controller/azure/authbackendconfig/zz_controller.go +++ b/internal/controller/azure/authbackendconfig/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/azure/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfig_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendConfig_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfig_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_auth_backend_config"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_azure_auth_backend_config"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendConfig_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendConfig + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendConfig{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendConfig") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendConfigList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendConfigList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfig_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendConfig{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendConfig{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/azure/authbackendrole/zz_controller.go b/internal/controller/azure/authbackendrole/zz_controller.go index 25de2c85..8871655a 100755 --- a/internal/controller/azure/authbackendrole/zz_controller.go +++ b/internal/controller/azure/authbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/azure/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_azure_auth_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/azure/secretbackend/zz_controller.go b/internal/controller/azure/secretbackend/zz_controller.go index 4427a6a8..4f30f25c 100755 --- a/internal/controller/azure/secretbackend/zz_controller.go +++ b/internal/controller/azure/secretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/azure/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_azure_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackend{}, o.EventHandler). + Watches(&v1alpha1.SecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/azure/secretbackendrole/zz_controller.go b/internal/controller/azure/secretbackendrole/zz_controller.go index 4c89f15b..08fd2071 100755 --- a/internal/controller/azure/secretbackendrole/zz_controller.go +++ b/internal/controller/azure/secretbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/azure/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_azure_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_azure_secret_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/cert/authbackendrole/zz_controller.go b/internal/controller/cert/authbackendrole/zz_controller.go index 057383de..90363f9f 100755 --- a/internal/controller/cert/authbackendrole/zz_controller.go +++ b/internal/controller/cert/authbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/cert/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_cert_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_cert_auth_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/consul/secretbackend/zz_controller.go b/internal/controller/consul/secretbackend/zz_controller.go index 718a6217..13019d76 100755 --- a/internal/controller/consul/secretbackend/zz_controller.go +++ b/internal/controller/consul/secretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/consul/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_consul_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_consul_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackend{}, o.EventHandler). + Watches(&v1alpha1.SecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/consul/secretbackendrole/zz_controller.go b/internal/controller/consul/secretbackendrole/zz_controller.go index 57a254bc..ab1ec599 100755 --- a/internal/controller/consul/secretbackendrole/zz_controller.go +++ b/internal/controller/consul/secretbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/consul/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_consul_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_consul_secret_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/database/secretbackendconnection/zz_controller.go b/internal/controller/database/secretbackendconnection/zz_controller.go index ecab5898..c0dd7eb2 100755 --- a/internal/controller/database/secretbackendconnection/zz_controller.go +++ b/internal/controller/database/secretbackendconnection/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/database/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConnection_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendConnection_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConnection_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_connection"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_connection"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendConnection_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendConnection + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendConnection{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendConnection") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendConnectionList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendConnectionList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConnection_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendConnection{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendConnection{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/database/secretbackendrole/zz_controller.go b/internal/controller/database/secretbackendrole/zz_controller.go index 744461d6..a1a41f0e 100755 --- a/internal/controller/database/secretbackendrole/zz_controller.go +++ b/internal/controller/database/secretbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/database/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/database/secretbackendstaticrole/zz_controller.go b/internal/controller/database/secretbackendstaticrole/zz_controller.go index e2abc471..dd88f95f 100755 --- a/internal/controller/database/secretbackendstaticrole/zz_controller.go +++ b/internal/controller/database/secretbackendstaticrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/database/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendStaticRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendStaticRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendStaticRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_static_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_database_secret_backend_static_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendStaticRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendStaticRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendStaticRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendStaticRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendStaticRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendStaticRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendStaticRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendStaticRole{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendStaticRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/database/secretsmount/zz_controller.go b/internal/controller/database/secretsmount/zz_controller.go index 7d130d91..eb2092c5 100755 --- a/internal/controller/database/secretsmount/zz_controller.go +++ b/internal/controller/database/secretsmount/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/database/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretsMount_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretsMount_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretsMount_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_database_secrets_mount"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_database_secrets_mount"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretsMount_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretsMount + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretsMount{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretsMount") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretsMountList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretsMountList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretsMount_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretsMount{}, o.EventHandler). + Watches(&v1alpha1.SecretsMount{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/egp/policy/zz_controller.go b/internal/controller/egp/policy/zz_controller.go index e8443e45..0c73cdcd 100755 --- a/internal/controller/egp/policy/zz_controller.go +++ b/internal/controller/egp/policy/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/egp/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Policy_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_egp_policy"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_egp_policy"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Policy_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Policy + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Policy{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Policy") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.PolicyList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.PolicyList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Policy{}, o.EventHandler). + Watches(&v1alpha1.Policy{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/gcp/authbackend/zz_controller.go b/internal/controller/gcp/authbackend/zz_controller.go index 118ee3f4..f277b955 100755 --- a/internal/controller/gcp/authbackend/zz_controller.go +++ b/internal/controller/gcp/authbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/gcp/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_gcp_auth_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackend{}, o.EventHandler). + Watches(&v1alpha1.AuthBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/gcp/authbackendrole/zz_controller.go b/internal/controller/gcp/authbackendrole/zz_controller.go index 9d4de1ea..3b05d431 100755 --- a/internal/controller/gcp/authbackendrole/zz_controller.go +++ b/internal/controller/gcp/authbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/gcp/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_gcp_auth_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/gcp/secretbackend/zz_controller.go b/internal/controller/gcp/secretbackend/zz_controller.go index 2f1f3b27..8249f363 100755 --- a/internal/controller/gcp/secretbackend/zz_controller.go +++ b/internal/controller/gcp/secretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/gcp/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackend{}, o.EventHandler). + Watches(&v1alpha1.SecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/gcp/secretimpersonatedaccount/zz_controller.go b/internal/controller/gcp/secretimpersonatedaccount/zz_controller.go index aadaec53..6847ec3b 100755 --- a/internal/controller/gcp/secretimpersonatedaccount/zz_controller.go +++ b/internal/controller/gcp/secretimpersonatedaccount/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/gcp/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretImpersonatedAccount_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretImpersonatedAccount_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretImpersonatedAccount_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_impersonated_account"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_impersonated_account"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretImpersonatedAccount_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretImpersonatedAccount + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretImpersonatedAccount{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretImpersonatedAccount") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretImpersonatedAccountList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretImpersonatedAccountList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretImpersonatedAccount_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretImpersonatedAccount{}, o.EventHandler). + Watches(&v1alpha1.SecretImpersonatedAccount{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/gcp/secretroleset/zz_controller.go b/internal/controller/gcp/secretroleset/zz_controller.go index 156bb765..db08ef38 100755 --- a/internal/controller/gcp/secretroleset/zz_controller.go +++ b/internal/controller/gcp/secretroleset/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/gcp/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRoleset_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretRoleset_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRoleset_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_roleset"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_roleset"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretRoleset_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretRoleset + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretRoleset{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretRoleset") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretRolesetList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretRolesetList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretRoleset_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretRoleset{}, o.EventHandler). + Watches(&v1alpha1.SecretRoleset{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/gcp/secretstaticaccount/zz_controller.go b/internal/controller/gcp/secretstaticaccount/zz_controller.go index 6285b2bd..603bab1d 100755 --- a/internal/controller/gcp/secretstaticaccount/zz_controller.go +++ b/internal/controller/gcp/secretstaticaccount/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/gcp/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretStaticAccount_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretStaticAccount_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretStaticAccount_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_static_account"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_gcp_secret_static_account"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretStaticAccount_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretStaticAccount + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretStaticAccount{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretStaticAccount") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretStaticAccountList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretStaticAccountList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretStaticAccount_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretStaticAccount{}, o.EventHandler). + Watches(&v1alpha1.SecretStaticAccount{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/generic/endpoint/zz_controller.go b/internal/controller/generic/endpoint/zz_controller.go index 21f6cf06..d4ccdb04 100755 --- a/internal/controller/generic/endpoint/zz_controller.go +++ b/internal/controller/generic/endpoint/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/generic/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Endpoint_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Endpoint_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Endpoint_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_generic_endpoint"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_generic_endpoint"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Endpoint_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Endpoint + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Endpoint{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Endpoint") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.EndpointList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.EndpointList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Endpoint_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Endpoint{}, o.EventHandler). + Watches(&v1alpha1.Endpoint{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/generic/secret/zz_controller.go b/internal/controller/generic/secret/zz_controller.go index 003bb54b..e843bbc0 100755 --- a/internal/controller/generic/secret/zz_controller.go +++ b/internal/controller/generic/secret/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/generic/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Secret_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Secret_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Secret_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_generic_secret"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_generic_secret"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Secret_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Secret + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Secret{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Secret") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Secret_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Secret{}, o.EventHandler). + Watches(&v1alpha1.Secret{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/github/authbackend/zz_controller.go b/internal/controller/github/authbackend/zz_controller.go index 74e9e104..4bf59ba8 100755 --- a/internal/controller/github/authbackend/zz_controller.go +++ b/internal/controller/github/authbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/github/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_github_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_github_auth_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackend{}, o.EventHandler). + Watches(&v1alpha1.AuthBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/github/team/zz_controller.go b/internal/controller/github/team/zz_controller.go index e2dbf91d..7f68f1f6 100755 --- a/internal/controller/github/team/zz_controller.go +++ b/internal/controller/github/team/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/github/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Team_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Team_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Team_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_github_team"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_github_team"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Team_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Team + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Team{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Team") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.TeamList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.TeamList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Team_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Team{}, o.EventHandler). + Watches(&v1alpha1.Team{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/github/user/zz_controller.go b/internal/controller/github/user/zz_controller.go index fa0c0cb5..0bfa17be 100755 --- a/internal/controller/github/user/zz_controller.go +++ b/internal/controller/github/user/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/github/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.User_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.User_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.User_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_github_user"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_github_user"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.User_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.User + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.User{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.User") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.UserList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.UserList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.User_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.User{}, o.EventHandler). + Watches(&v1alpha1.User{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/entity/zz_controller.go b/internal/controller/identity/entity/zz_controller.go index b83f39ba..ce9b991e 100755 --- a/internal/controller/identity/entity/zz_controller.go +++ b/internal/controller/identity/entity/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Entity_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Entity_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Entity_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_entity"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_entity"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Entity_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Entity + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Entity{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Entity") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.EntityList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.EntityList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Entity_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Entity{}, o.EventHandler). + Watches(&v1alpha1.Entity{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/entityalias/zz_controller.go b/internal/controller/identity/entityalias/zz_controller.go index c27c8c47..43caa945 100755 --- a/internal/controller/identity/entityalias/zz_controller.go +++ b/internal/controller/identity/entityalias/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.EntityAlias_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.EntityAlias_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.EntityAlias_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_entity_alias"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_entity_alias"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.EntityAlias_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.EntityAlias + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.EntityAlias{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.EntityAlias") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.EntityAliasList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.EntityAliasList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.EntityAlias_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.EntityAlias{}, o.EventHandler). + Watches(&v1alpha1.EntityAlias{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/entitypolicies/zz_controller.go b/internal/controller/identity/entitypolicies/zz_controller.go index 405916f7..47104a56 100755 --- a/internal/controller/identity/entitypolicies/zz_controller.go +++ b/internal/controller/identity/entitypolicies/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.EntityPolicies_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.EntityPolicies_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.EntityPolicies_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_entity_policies"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_entity_policies"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.EntityPolicies_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.EntityPolicies + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.EntityPolicies{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.EntityPolicies") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.EntityPoliciesList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.EntityPoliciesList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.EntityPolicies_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.EntityPolicies{}, o.EventHandler). + Watches(&v1alpha1.EntityPolicies{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/group/zz_controller.go b/internal/controller/identity/group/zz_controller.go index 3a5d247a..ce101787 100755 --- a/internal/controller/identity/group/zz_controller.go +++ b/internal/controller/identity/group/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Group_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Group_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Group_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_group"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Group_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Group + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Group{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Group") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.GroupList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.GroupList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Group_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Group{}, o.EventHandler). + Watches(&v1alpha1.Group{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/groupalias/zz_controller.go b/internal/controller/identity/groupalias/zz_controller.go index 800c1f6f..6cac9e76 100755 --- a/internal/controller/identity/groupalias/zz_controller.go +++ b/internal/controller/identity/groupalias/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupAlias_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.GroupAlias_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupAlias_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_alias"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_group_alias"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.GroupAlias_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.GroupAlias + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.GroupAlias{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.GroupAlias") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.GroupAliasList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.GroupAliasList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.GroupAlias_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.GroupAlias{}, o.EventHandler). + Watches(&v1alpha1.GroupAlias{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/groupmemberentityids/zz_controller.go b/internal/controller/identity/groupmemberentityids/zz_controller.go index 73636922..bd10a366 100755 --- a/internal/controller/identity/groupmemberentityids/zz_controller.go +++ b/internal/controller/identity/groupmemberentityids/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupMemberEntityIds_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.GroupMemberEntityIds_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupMemberEntityIds_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_member_entity_ids"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_group_member_entity_ids"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.GroupMemberEntityIds_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.GroupMemberEntityIds + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.GroupMemberEntityIds{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.GroupMemberEntityIds") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.GroupMemberEntityIdsList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.GroupMemberEntityIdsList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.GroupMemberEntityIds_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.GroupMemberEntityIds{}, o.EventHandler). + Watches(&v1alpha1.GroupMemberEntityIds{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/groupmembergroupids/zz_controller.go b/internal/controller/identity/groupmembergroupids/zz_controller.go index 9bb5ae40..79c2d9d6 100755 --- a/internal/controller/identity/groupmembergroupids/zz_controller.go +++ b/internal/controller/identity/groupmembergroupids/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupMemberGroupIds_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.GroupMemberGroupIds_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupMemberGroupIds_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_member_group_ids"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_group_member_group_ids"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.GroupMemberGroupIds_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.GroupMemberGroupIds + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.GroupMemberGroupIds{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.GroupMemberGroupIds") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.GroupMemberGroupIdsList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.GroupMemberGroupIdsList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.GroupMemberGroupIds_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.GroupMemberGroupIds{}, o.EventHandler). + Watches(&v1alpha1.GroupMemberGroupIds{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/grouppolicies/zz_controller.go b/internal/controller/identity/grouppolicies/zz_controller.go index 686fc100..0928dafc 100755 --- a/internal/controller/identity/grouppolicies/zz_controller.go +++ b/internal/controller/identity/grouppolicies/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupPolicies_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.GroupPolicies_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.GroupPolicies_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_group_policies"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_group_policies"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.GroupPolicies_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.GroupPolicies + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.GroupPolicies{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.GroupPolicies") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.GroupPoliciesList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.GroupPoliciesList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.GroupPolicies_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.GroupPolicies{}, o.EventHandler). + Watches(&v1alpha1.GroupPolicies{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/mfaduo/zz_controller.go b/internal/controller/identity/mfaduo/zz_controller.go index eae9b6f2..21cec9cd 100755 --- a/internal/controller/identity/mfaduo/zz_controller.go +++ b/internal/controller/identity/mfaduo/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaDuo_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.MfaDuo_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaDuo_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_duo"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_duo"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.MfaDuo_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.MfaDuo + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.MfaDuo{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.MfaDuo") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.MfaDuoList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.MfaDuoList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.MfaDuo_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.MfaDuo{}, o.EventHandler). + Watches(&v1alpha1.MfaDuo{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/mfaloginenforcement/zz_controller.go b/internal/controller/identity/mfaloginenforcement/zz_controller.go index e394efd1..c5e9e447 100755 --- a/internal/controller/identity/mfaloginenforcement/zz_controller.go +++ b/internal/controller/identity/mfaloginenforcement/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaLoginEnforcement_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.MfaLoginEnforcement_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaLoginEnforcement_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_login_enforcement"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_login_enforcement"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.MfaLoginEnforcement_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.MfaLoginEnforcement + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.MfaLoginEnforcement{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.MfaLoginEnforcement") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.MfaLoginEnforcementList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.MfaLoginEnforcementList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.MfaLoginEnforcement_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.MfaLoginEnforcement{}, o.EventHandler). + Watches(&v1alpha1.MfaLoginEnforcement{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/mfaokta/zz_controller.go b/internal/controller/identity/mfaokta/zz_controller.go index c2c93eb9..baffeef8 100755 --- a/internal/controller/identity/mfaokta/zz_controller.go +++ b/internal/controller/identity/mfaokta/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaOkta_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.MfaOkta_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaOkta_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_okta"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_okta"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.MfaOkta_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.MfaOkta + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.MfaOkta{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.MfaOkta") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.MfaOktaList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.MfaOktaList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.MfaOkta_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.MfaOkta{}, o.EventHandler). + Watches(&v1alpha1.MfaOkta{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/mfapingid/zz_controller.go b/internal/controller/identity/mfapingid/zz_controller.go index 15f4e625..80f238ed 100755 --- a/internal/controller/identity/mfapingid/zz_controller.go +++ b/internal/controller/identity/mfapingid/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaPingid_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.MfaPingid_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaPingid_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_pingid"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_pingid"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.MfaPingid_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.MfaPingid + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.MfaPingid{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.MfaPingid") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.MfaPingidList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.MfaPingidList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.MfaPingid_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.MfaPingid{}, o.EventHandler). + Watches(&v1alpha1.MfaPingid{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/mfatotp/zz_controller.go b/internal/controller/identity/mfatotp/zz_controller.go index 1927ed59..13a2f824 100755 --- a/internal/controller/identity/mfatotp/zz_controller.go +++ b/internal/controller/identity/mfatotp/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaTotp_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.MfaTotp_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.MfaTotp_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_totp"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_mfa_totp"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.MfaTotp_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.MfaTotp + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.MfaTotp{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.MfaTotp") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.MfaTotpList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.MfaTotpList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.MfaTotp_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.MfaTotp{}, o.EventHandler). + Watches(&v1alpha1.MfaTotp{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/oidc/zz_controller.go b/internal/controller/identity/oidc/zz_controller.go index 1a0241bc..b4b2d240 100755 --- a/internal/controller/identity/oidc/zz_controller.go +++ b/internal/controller/identity/oidc/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Oidc_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Oidc_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Oidc_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Oidc_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Oidc + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Oidc{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Oidc") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.OidcList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.OidcList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Oidc_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Oidc{}, o.EventHandler). + Watches(&v1alpha1.Oidc{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/oidcassignment/zz_controller.go b/internal/controller/identity/oidcassignment/zz_controller.go index d4fa1fe7..9a3d1ad0 100755 --- a/internal/controller/identity/oidcassignment/zz_controller.go +++ b/internal/controller/identity/oidcassignment/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcAssignment_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.OidcAssignment_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcAssignment_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_assignment"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_assignment"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.OidcAssignment_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.OidcAssignment + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.OidcAssignment{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.OidcAssignment") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.OidcAssignmentList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.OidcAssignmentList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.OidcAssignment_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.OidcAssignment{}, o.EventHandler). + Watches(&v1alpha1.OidcAssignment{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/oidcclient/zz_controller.go b/internal/controller/identity/oidcclient/zz_controller.go index b79b1598..39c2041d 100755 --- a/internal/controller/identity/oidcclient/zz_controller.go +++ b/internal/controller/identity/oidcclient/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcClient_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.OidcClient_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcClient_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_client"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_client"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.OidcClient_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.OidcClient + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.OidcClient{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.OidcClient") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.OidcClientList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.OidcClientList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.OidcClient_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.OidcClient{}, o.EventHandler). + Watches(&v1alpha1.OidcClient{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/oidckey/zz_controller.go b/internal/controller/identity/oidckey/zz_controller.go index 3a8a961e..6798b9ba 100755 --- a/internal/controller/identity/oidckey/zz_controller.go +++ b/internal/controller/identity/oidckey/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcKey_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.OidcKey_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcKey_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_key"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_key"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.OidcKey_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.OidcKey + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.OidcKey{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.OidcKey") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.OidcKeyList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.OidcKeyList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.OidcKey_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.OidcKey{}, o.EventHandler). + Watches(&v1alpha1.OidcKey{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/oidckeyallowedclientid/zz_controller.go b/internal/controller/identity/oidckeyallowedclientid/zz_controller.go index 6846c48a..b0e7e6cd 100755 --- a/internal/controller/identity/oidckeyallowedclientid/zz_controller.go +++ b/internal/controller/identity/oidckeyallowedclientid/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcKeyAllowedClientID_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.OidcKeyAllowedClientID_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcKeyAllowedClientID_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_key_allowed_client_id"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_key_allowed_client_id"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.OidcKeyAllowedClientID_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.OidcKeyAllowedClientID + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.OidcKeyAllowedClientID{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.OidcKeyAllowedClientID") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.OidcKeyAllowedClientIDList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.OidcKeyAllowedClientIDList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.OidcKeyAllowedClientID_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.OidcKeyAllowedClientID{}, o.EventHandler). + Watches(&v1alpha1.OidcKeyAllowedClientID{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/oidcprovider/zz_controller.go b/internal/controller/identity/oidcprovider/zz_controller.go index fe69bf7b..01bc0d02 100755 --- a/internal/controller/identity/oidcprovider/zz_controller.go +++ b/internal/controller/identity/oidcprovider/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcProvider_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.OidcProvider_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcProvider_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_provider"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_provider"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.OidcProvider_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.OidcProvider + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.OidcProvider{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.OidcProvider") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.OidcProviderList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.OidcProviderList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.OidcProvider_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.OidcProvider{}, o.EventHandler). + Watches(&v1alpha1.OidcProvider{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/oidcrole/zz_controller.go b/internal/controller/identity/oidcrole/zz_controller.go index 9205917f..4f142222 100755 --- a/internal/controller/identity/oidcrole/zz_controller.go +++ b/internal/controller/identity/oidcrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.OidcRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.OidcRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.OidcRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.OidcRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.OidcRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.OidcRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.OidcRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.OidcRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.OidcRole{}, o.EventHandler). + Watches(&v1alpha1.OidcRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/identity/oidcscope/zz_controller.go b/internal/controller/identity/oidcscope/zz_controller.go index a73abf33..0585e884 100755 --- a/internal/controller/identity/oidcscope/zz_controller.go +++ b/internal/controller/identity/oidcscope/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/identity/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcScope_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.OidcScope_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.OidcScope_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_scope"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_identity_oidc_scope"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.OidcScope_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.OidcScope + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.OidcScope{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.OidcScope") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.OidcScopeList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.OidcScopeList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.OidcScope_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.OidcScope{}, o.EventHandler). + Watches(&v1alpha1.OidcScope{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/jwt/authbackend/zz_controller.go b/internal/controller/jwt/authbackend/zz_controller.go index 7aa9177c..96422c1b 100755 --- a/internal/controller/jwt/authbackend/zz_controller.go +++ b/internal/controller/jwt/authbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/jwt/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_jwt_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_jwt_auth_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackend{}, o.EventHandler). + Watches(&v1alpha1.AuthBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/jwt/authbackendrole/zz_controller.go b/internal/controller/jwt/authbackendrole/zz_controller.go index 1023f5e8..931b81cb 100755 --- a/internal/controller/jwt/authbackendrole/zz_controller.go +++ b/internal/controller/jwt/authbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/jwt/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_jwt_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_jwt_auth_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/kmip/secretbackend/zz_controller.go b/internal/controller/kmip/secretbackend/zz_controller.go index 9532e7e8..917066eb 100755 --- a/internal/controller/kmip/secretbackend/zz_controller.go +++ b/internal/controller/kmip/secretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/kmip/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackend{}, o.EventHandler). + Watches(&v1alpha1.SecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/kmip/secretrole/zz_controller.go b/internal/controller/kmip/secretrole/zz_controller.go index 59aac7ff..d376d874 100755 --- a/internal/controller/kmip/secretrole/zz_controller.go +++ b/internal/controller/kmip/secretrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/kmip/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretRole{}, o.EventHandler). + Watches(&v1alpha1.SecretRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/kmip/secretscope/zz_controller.go b/internal/controller/kmip/secretscope/zz_controller.go index 761af289..a015a069 100755 --- a/internal/controller/kmip/secretscope/zz_controller.go +++ b/internal/controller/kmip/secretscope/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/kmip/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretScope_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretScope_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretScope_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_scope"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_kmip_secret_scope"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretScope_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretScope + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretScope{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretScope") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretScopeList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretScopeList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretScope_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretScope{}, o.EventHandler). + Watches(&v1alpha1.SecretScope{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/kubernetes/authbackendconfig/zz_controller.go b/internal/controller/kubernetes/authbackendconfig/zz_controller.go index bb32da51..16ed32bf 100755 --- a/internal/controller/kubernetes/authbackendconfig/zz_controller.go +++ b/internal/controller/kubernetes/authbackendconfig/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/kubernetes/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfig_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendConfig_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfig_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_auth_backend_config"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_auth_backend_config"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendConfig_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendConfig + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendConfig{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendConfig") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendConfigList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendConfigList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendConfig_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendConfig{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendConfig{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/kubernetes/authbackendrole/zz_controller.go b/internal/controller/kubernetes/authbackendrole/zz_controller.go index 00cf3b1c..47852bc5 100755 --- a/internal/controller/kubernetes/authbackendrole/zz_controller.go +++ b/internal/controller/kubernetes/authbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/kubernetes/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_auth_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/kubernetes/secretbackend/zz_controller.go b/internal/controller/kubernetes/secretbackend/zz_controller.go index f4aa0228..e732e122 100755 --- a/internal/controller/kubernetes/secretbackend/zz_controller.go +++ b/internal/controller/kubernetes/secretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/kubernetes/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackend{}, o.EventHandler). + Watches(&v1alpha1.SecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/kubernetes/secretbackendrole/zz_controller.go b/internal/controller/kubernetes/secretbackendrole/zz_controller.go index dfe76f54..740ec06d 100755 --- a/internal/controller/kubernetes/secretbackendrole/zz_controller.go +++ b/internal/controller/kubernetes/secretbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/kubernetes/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_kubernetes_secret_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/kv/secret/zz_controller.go b/internal/controller/kv/secret/zz_controller.go index f498949b..b7766064 100755 --- a/internal/controller/kv/secret/zz_controller.go +++ b/internal/controller/kv/secret/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/kv/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Secret_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Secret_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Secret_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kv_secret"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_kv_secret"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Secret_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Secret + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Secret{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Secret") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Secret_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Secret{}, o.EventHandler). + Watches(&v1alpha1.Secret{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/kv/secretbackendv2/zz_controller.go b/internal/controller/kv/secretbackendv2/zz_controller.go index bb9b7a9c..546f38ea 100755 --- a/internal/controller/kv/secretbackendv2/zz_controller.go +++ b/internal/controller/kv/secretbackendv2/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/kv/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendV2_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendV2_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendV2_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kv_secret_backend_v2"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_kv_secret_backend_v2"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendV2_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendV2 + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendV2{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendV2") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendV2List{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendV2List") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendV2_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendV2{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendV2{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/kv/secretv2/zz_controller.go b/internal/controller/kv/secretv2/zz_controller.go index b029d33a..020bd0dd 100755 --- a/internal/controller/kv/secretv2/zz_controller.go +++ b/internal/controller/kv/secretv2/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/kv/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretV2_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretV2_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretV2_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_kv_secret_v2"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_kv_secret_v2"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretV2_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretV2 + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretV2{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretV2") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretV2List{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretV2List") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretV2_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretV2{}, o.EventHandler). + Watches(&v1alpha1.SecretV2{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/ldap/authbackend/zz_controller.go b/internal/controller/ldap/authbackend/zz_controller.go index b62d912f..e3067c35 100755 --- a/internal/controller/ldap/authbackend/zz_controller.go +++ b/internal/controller/ldap/authbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/ldap/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackend{}, o.EventHandler). + Watches(&v1alpha1.AuthBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/ldap/authbackendgroup/zz_controller.go b/internal/controller/ldap/authbackendgroup/zz_controller.go index 3a51258f..619828cf 100755 --- a/internal/controller/ldap/authbackendgroup/zz_controller.go +++ b/internal/controller/ldap/authbackendgroup/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/ldap/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendGroup_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendGroup_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendGroup_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend_group"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend_group"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendGroup_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendGroup + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendGroup{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendGroup") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendGroupList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendGroupList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendGroup_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendGroup{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendGroup{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/ldap/authbackenduser/zz_controller.go b/internal/controller/ldap/authbackenduser/zz_controller.go index d699c174..6a325ebd 100755 --- a/internal/controller/ldap/authbackenduser/zz_controller.go +++ b/internal/controller/ldap/authbackenduser/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/ldap/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendUser_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendUser_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendUser_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend_user"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_ldap_auth_backend_user"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendUser_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendUser + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendUser{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendUser") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendUserList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendUserList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendUser_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendUser{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendUser{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/managed/keys/zz_controller.go b/internal/controller/managed/keys/zz_controller.go index e7ea8728..3fc38c4b 100755 --- a/internal/controller/managed/keys/zz_controller.go +++ b/internal/controller/managed/keys/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/managed/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Keys_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Keys_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Keys_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_managed_keys"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_managed_keys"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Keys_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Keys + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Keys{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Keys") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.KeysList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.KeysList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Keys_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Keys{}, o.EventHandler). + Watches(&v1alpha1.Keys{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/mfa/duo/zz_controller.go b/internal/controller/mfa/duo/zz_controller.go index d4c340cd..3201f40e 100755 --- a/internal/controller/mfa/duo/zz_controller.go +++ b/internal/controller/mfa/duo/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/mfa/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Duo_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Duo_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Duo_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_duo"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_mfa_duo"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Duo_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Duo + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Duo{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Duo") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.DuoList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.DuoList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Duo_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Duo{}, o.EventHandler). + Watches(&v1alpha1.Duo{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/mfa/okta/zz_controller.go b/internal/controller/mfa/okta/zz_controller.go index 08f89674..490cbe8b 100755 --- a/internal/controller/mfa/okta/zz_controller.go +++ b/internal/controller/mfa/okta/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/mfa/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Okta_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Okta_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Okta_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_okta"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_mfa_okta"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Okta_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Okta + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Okta{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Okta") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.OktaList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.OktaList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Okta_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Okta{}, o.EventHandler). + Watches(&v1alpha1.Okta{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/mfa/pingid/zz_controller.go b/internal/controller/mfa/pingid/zz_controller.go index a1560913..b49665db 100755 --- a/internal/controller/mfa/pingid/zz_controller.go +++ b/internal/controller/mfa/pingid/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/mfa/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Pingid_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Pingid_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Pingid_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_pingid"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_mfa_pingid"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Pingid_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Pingid + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Pingid{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Pingid") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.PingidList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.PingidList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Pingid_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Pingid{}, o.EventHandler). + Watches(&v1alpha1.Pingid{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/mfa/totp/zz_controller.go b/internal/controller/mfa/totp/zz_controller.go index 30a0c18c..9b59874e 100755 --- a/internal/controller/mfa/totp/zz_controller.go +++ b/internal/controller/mfa/totp/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/mfa/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Totp_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Totp_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Totp_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mfa_totp"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_mfa_totp"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Totp_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Totp + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Totp{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Totp") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.TotpList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.TotpList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Totp_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Totp{}, o.EventHandler). + Watches(&v1alpha1.Totp{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/mongodbatlas/secretbackend/zz_controller.go b/internal/controller/mongodbatlas/secretbackend/zz_controller.go index 7a231bcb..6694be01 100755 --- a/internal/controller/mongodbatlas/secretbackend/zz_controller.go +++ b/internal/controller/mongodbatlas/secretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/mongodbatlas/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mongodbatlas_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_mongodbatlas_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackend{}, o.EventHandler). + Watches(&v1alpha1.SecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/mongodbatlas/secretrole/zz_controller.go b/internal/controller/mongodbatlas/secretrole/zz_controller.go index 7c0f2bc7..ae63218e 100755 --- a/internal/controller/mongodbatlas/secretrole/zz_controller.go +++ b/internal/controller/mongodbatlas/secretrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/mongodbatlas/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mongodbatlas_secret_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_mongodbatlas_secret_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretRole{}, o.EventHandler). + Watches(&v1alpha1.SecretRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/nomad/secretbackend/zz_controller.go b/internal/controller/nomad/secretbackend/zz_controller.go index d9852d3c..d0cb8912 100755 --- a/internal/controller/nomad/secretbackend/zz_controller.go +++ b/internal/controller/nomad/secretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/nomad/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_nomad_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_nomad_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackend{}, o.EventHandler). + Watches(&v1alpha1.SecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/nomad/secretrole/zz_controller.go b/internal/controller/nomad/secretrole/zz_controller.go index 85fd6890..7b857e2f 100755 --- a/internal/controller/nomad/secretrole/zz_controller.go +++ b/internal/controller/nomad/secretrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/nomad/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_nomad_secret_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_nomad_secret_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretRole{}, o.EventHandler). + Watches(&v1alpha1.SecretRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/okta/authbackend/zz_controller.go b/internal/controller/okta/authbackend/zz_controller.go index 470e6272..ff80f04f 100755 --- a/internal/controller/okta/authbackend/zz_controller.go +++ b/internal/controller/okta/authbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/okta/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackend{}, o.EventHandler). + Watches(&v1alpha1.AuthBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/okta/authbackendgroup/zz_controller.go b/internal/controller/okta/authbackendgroup/zz_controller.go index 8476fa64..07d1dc12 100755 --- a/internal/controller/okta/authbackendgroup/zz_controller.go +++ b/internal/controller/okta/authbackendgroup/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/okta/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendGroup_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendGroup_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendGroup_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend_group"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend_group"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendGroup_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendGroup + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendGroup{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendGroup") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendGroupList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendGroupList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendGroup_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendGroup{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendGroup{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/okta/authbackenduser/zz_controller.go b/internal/controller/okta/authbackenduser/zz_controller.go index c98a8a8b..5b9e340e 100755 --- a/internal/controller/okta/authbackenduser/zz_controller.go +++ b/internal/controller/okta/authbackenduser/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/okta/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendUser_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendUser_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendUser_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend_user"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_okta_auth_backend_user"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendUser_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendUser + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendUser{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendUser") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendUserList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendUserList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendUser_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendUser{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendUser{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/password/policy/zz_controller.go b/internal/controller/password/policy/zz_controller.go index ebb275f4..a5aa7042 100755 --- a/internal/controller/password/policy/zz_controller.go +++ b/internal/controller/password/policy/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/password/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Policy_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_password_policy"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_password_policy"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Policy_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Policy + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Policy{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Policy") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.PolicyList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.PolicyList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Policy{}, o.EventHandler). + Watches(&v1alpha1.Policy{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/pki/secretbackendcert/zz_controller.go b/internal/controller/pki/secretbackendcert/zz_controller.go index 542f0c3b..07827627 100755 --- a/internal/controller/pki/secretbackendcert/zz_controller.go +++ b/internal/controller/pki/secretbackendcert/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/pki/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCert_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendCert_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCert_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_cert"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_cert"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendCert_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendCert + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendCert{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendCert") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendCertList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendCertList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCert_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendCert{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendCert{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/pki/secretbackendconfigca/zz_controller.go b/internal/controller/pki/secretbackendconfigca/zz_controller.go index 3c155b84..d3c4ee57 100755 --- a/internal/controller/pki/secretbackendconfigca/zz_controller.go +++ b/internal/controller/pki/secretbackendconfigca/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/pki/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConfigCA_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendConfigCA_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConfigCA_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_config_ca"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_config_ca"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendConfigCA_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendConfigCA + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendConfigCA{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendConfigCA") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendConfigCAList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendConfigCAList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConfigCA_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendConfigCA{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendConfigCA{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/pki/secretbackendconfigurls/zz_controller.go b/internal/controller/pki/secretbackendconfigurls/zz_controller.go index f6b3e515..7940b266 100755 --- a/internal/controller/pki/secretbackendconfigurls/zz_controller.go +++ b/internal/controller/pki/secretbackendconfigurls/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/pki/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConfigUrls_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendConfigUrls_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConfigUrls_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_config_urls"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_config_urls"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendConfigUrls_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendConfigUrls + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendConfigUrls{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendConfigUrls") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendConfigUrlsList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendConfigUrlsList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendConfigUrls_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendConfigUrls{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendConfigUrls{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/pki/secretbackendcrlconfig/zz_controller.go b/internal/controller/pki/secretbackendcrlconfig/zz_controller.go index b18056dd..5159732c 100755 --- a/internal/controller/pki/secretbackendcrlconfig/zz_controller.go +++ b/internal/controller/pki/secretbackendcrlconfig/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/pki/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCrlConfig_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendCrlConfig_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCrlConfig_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_crl_config"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_crl_config"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendCrlConfig_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendCrlConfig + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendCrlConfig{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendCrlConfig") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendCrlConfigList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendCrlConfigList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCrlConfig_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendCrlConfig{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendCrlConfig{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/pki/secretbackendintermediatecertrequest/zz_controller.go b/internal/controller/pki/secretbackendintermediatecertrequest/zz_controller.go index 4e88160c..95feb39b 100755 --- a/internal/controller/pki/secretbackendintermediatecertrequest/zz_controller.go +++ b/internal/controller/pki/secretbackendintermediatecertrequest/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/pki/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendIntermediateCertRequest_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendIntermediateCertRequest_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendIntermediateCertRequest_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_intermediate_cert_request"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_intermediate_cert_request"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendIntermediateCertRequest_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendIntermediateCertRequest + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendIntermediateCertRequest{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendIntermediateCertRequest") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendIntermediateCertRequestList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendIntermediateCertRequestList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendIntermediateCertRequest_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendIntermediateCertRequest{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendIntermediateCertRequest{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/pki/secretbackendintermediatesetsigned/zz_controller.go b/internal/controller/pki/secretbackendintermediatesetsigned/zz_controller.go index 0e612bfa..cb5f95a0 100755 --- a/internal/controller/pki/secretbackendintermediatesetsigned/zz_controller.go +++ b/internal/controller/pki/secretbackendintermediatesetsigned/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/pki/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendIntermediateSetSigned_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendIntermediateSetSigned_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendIntermediateSetSigned_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_intermediate_set_signed"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_intermediate_set_signed"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendIntermediateSetSigned_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendIntermediateSetSigned + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendIntermediateSetSigned{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendIntermediateSetSigned") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendIntermediateSetSignedList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendIntermediateSetSignedList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendIntermediateSetSigned_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendIntermediateSetSigned{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendIntermediateSetSigned{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/pki/secretbackendrole/zz_controller.go b/internal/controller/pki/secretbackendrole/zz_controller.go index d22c5ed6..be87f7b8 100755 --- a/internal/controller/pki/secretbackendrole/zz_controller.go +++ b/internal/controller/pki/secretbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/pki/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/pki/secretbackendrootcert/zz_controller.go b/internal/controller/pki/secretbackendrootcert/zz_controller.go index ffa28d83..9a44e614 100755 --- a/internal/controller/pki/secretbackendrootcert/zz_controller.go +++ b/internal/controller/pki/secretbackendrootcert/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/pki/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRootCert_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendRootCert_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRootCert_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_root_cert"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_root_cert"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendRootCert_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendRootCert + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendRootCert{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendRootCert") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendRootCertList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendRootCertList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRootCert_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendRootCert{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendRootCert{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/pki/secretbackendrootsignintermediate/zz_controller.go b/internal/controller/pki/secretbackendrootsignintermediate/zz_controller.go index a87f0086..502472a1 100755 --- a/internal/controller/pki/secretbackendrootsignintermediate/zz_controller.go +++ b/internal/controller/pki/secretbackendrootsignintermediate/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/pki/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRootSignIntermediate_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendRootSignIntermediate_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRootSignIntermediate_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_root_sign_intermediate"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_root_sign_intermediate"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendRootSignIntermediate_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendRootSignIntermediate + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendRootSignIntermediate{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendRootSignIntermediate") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendRootSignIntermediateList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendRootSignIntermediateList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRootSignIntermediate_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendRootSignIntermediate{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendRootSignIntermediate{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/pki/secretbackendsign/zz_controller.go b/internal/controller/pki/secretbackendsign/zz_controller.go index 27ef28cb..4ca5351e 100755 --- a/internal/controller/pki/secretbackendsign/zz_controller.go +++ b/internal/controller/pki/secretbackendsign/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/pki/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendSign_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendSign_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendSign_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_sign"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_pki_secret_backend_sign"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendSign_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendSign + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendSign{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendSign") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendSignList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendSignList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendSign_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendSign{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendSign{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/providerconfig/config.go b/internal/controller/providerconfig/config.go index a6facfaa..7d0f7d14 100644 --- a/internal/controller/providerconfig/config.go +++ b/internal/controller/providerconfig/config.go @@ -10,7 +10,7 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/event" "github.com/crossplane/crossplane-runtime/pkg/reconciler/providerconfig" "github.com/crossplane/crossplane-runtime/pkg/resource" - "github.com/upbound/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller" "github.com/upbound/provider-vault/apis/v1beta1" ) diff --git a/internal/controller/quota/leasecount/zz_controller.go b/internal/controller/quota/leasecount/zz_controller.go index a0b55a6a..01a3fd99 100755 --- a/internal/controller/quota/leasecount/zz_controller.go +++ b/internal/controller/quota/leasecount/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/quota/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.LeaseCount_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.LeaseCount_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.LeaseCount_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_quota_lease_count"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_quota_lease_count"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.LeaseCount_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.LeaseCount + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.LeaseCount{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.LeaseCount") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.LeaseCountList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.LeaseCountList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.LeaseCount_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.LeaseCount{}, o.EventHandler). + Watches(&v1alpha1.LeaseCount{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/quota/ratelimit/zz_controller.go b/internal/controller/quota/ratelimit/zz_controller.go index 48285b66..340df797 100755 --- a/internal/controller/quota/ratelimit/zz_controller.go +++ b/internal/controller/quota/ratelimit/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/quota/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.RateLimit_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.RateLimit_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.RateLimit_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_quota_rate_limit"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_quota_rate_limit"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.RateLimit_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.RateLimit + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.RateLimit{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.RateLimit") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.RateLimitList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.RateLimitList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.RateLimit_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.RateLimit{}, o.EventHandler). + Watches(&v1alpha1.RateLimit{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/rabbitmq/secretbackend/zz_controller.go b/internal/controller/rabbitmq/secretbackend/zz_controller.go index 737cba62..d58b5358 100755 --- a/internal/controller/rabbitmq/secretbackend/zz_controller.go +++ b/internal/controller/rabbitmq/secretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/rabbitmq/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_rabbitmq_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_rabbitmq_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackend{}, o.EventHandler). + Watches(&v1alpha1.SecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/rabbitmq/secretbackendrole/zz_controller.go b/internal/controller/rabbitmq/secretbackendrole/zz_controller.go index af1e8f01..f7e6d88e 100755 --- a/internal/controller/rabbitmq/secretbackendrole/zz_controller.go +++ b/internal/controller/rabbitmq/secretbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/rabbitmq/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_rabbitmq_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_rabbitmq_secret_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/raft/autopilot/zz_controller.go b/internal/controller/raft/autopilot/zz_controller.go index 9edf0484..68462629 100755 --- a/internal/controller/raft/autopilot/zz_controller.go +++ b/internal/controller/raft/autopilot/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/raft/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Autopilot_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Autopilot_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Autopilot_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_raft_autopilot"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_raft_autopilot"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Autopilot_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Autopilot + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Autopilot{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Autopilot") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AutopilotList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AutopilotList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Autopilot_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Autopilot{}, o.EventHandler). + Watches(&v1alpha1.Autopilot{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/raft/snapshotagentconfig/zz_controller.go b/internal/controller/raft/snapshotagentconfig/zz_controller.go index 2846e5a7..ff60cb00 100755 --- a/internal/controller/raft/snapshotagentconfig/zz_controller.go +++ b/internal/controller/raft/snapshotagentconfig/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/raft/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SnapshotAgentConfig_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SnapshotAgentConfig_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SnapshotAgentConfig_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_raft_snapshot_agent_config"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_raft_snapshot_agent_config"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SnapshotAgentConfig_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SnapshotAgentConfig + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SnapshotAgentConfig{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SnapshotAgentConfig") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SnapshotAgentConfigList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SnapshotAgentConfigList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SnapshotAgentConfig_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SnapshotAgentConfig{}, o.EventHandler). + Watches(&v1alpha1.SnapshotAgentConfig{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/rgp/policy/zz_controller.go b/internal/controller/rgp/policy/zz_controller.go index de8660db..e25a876e 100755 --- a/internal/controller/rgp/policy/zz_controller.go +++ b/internal/controller/rgp/policy/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/rgp/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Policy_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_rgp_policy"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_rgp_policy"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Policy_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Policy + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Policy{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Policy") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.PolicyList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.PolicyList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Policy{}, o.EventHandler). + Watches(&v1alpha1.Policy{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/ssh/secretbackendca/zz_controller.go b/internal/controller/ssh/secretbackendca/zz_controller.go index 6574dc0d..8ffae7ee 100755 --- a/internal/controller/ssh/secretbackendca/zz_controller.go +++ b/internal/controller/ssh/secretbackendca/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/ssh/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCA_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendCA_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCA_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ssh_secret_backend_ca"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_ssh_secret_backend_ca"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendCA_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendCA + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendCA{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendCA") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendCAList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendCAList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendCA_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendCA{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendCA{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/ssh/secretbackendrole/zz_controller.go b/internal/controller/ssh/secretbackendrole/zz_controller.go index edd3a9fc..aaf8dc61 100755 --- a/internal/controller/ssh/secretbackendrole/zz_controller.go +++ b/internal/controller/ssh/secretbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/ssh/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_ssh_secret_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_ssh_secret_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendRole{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/terraform/cloudsecretbackend/zz_controller.go b/internal/controller/terraform/cloudsecretbackend/zz_controller.go index 865cde05..11ae983a 100755 --- a/internal/controller/terraform/cloudsecretbackend/zz_controller.go +++ b/internal/controller/terraform/cloudsecretbackend/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/terraform/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.CloudSecretBackend_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretBackend_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_backend"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_backend"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.CloudSecretBackend_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.CloudSecretBackend + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.CloudSecretBackend{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.CloudSecretBackend") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.CloudSecretBackendList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.CloudSecretBackendList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretBackend_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.CloudSecretBackend{}, o.EventHandler). + Watches(&v1alpha1.CloudSecretBackend{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/terraform/cloudsecretcreds/zz_controller.go b/internal/controller/terraform/cloudsecretcreds/zz_controller.go index 452a0763..d476cf1b 100755 --- a/internal/controller/terraform/cloudsecretcreds/zz_controller.go +++ b/internal/controller/terraform/cloudsecretcreds/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/terraform/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretCreds_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.CloudSecretCreds_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretCreds_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_creds"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_creds"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.CloudSecretCreds_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.CloudSecretCreds + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.CloudSecretCreds{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.CloudSecretCreds") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.CloudSecretCredsList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.CloudSecretCredsList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretCreds_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.CloudSecretCreds{}, o.EventHandler). + Watches(&v1alpha1.CloudSecretCreds{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/terraform/cloudsecretrole/zz_controller.go b/internal/controller/terraform/cloudsecretrole/zz_controller.go index ec894357..6b9d00a6 100755 --- a/internal/controller/terraform/cloudsecretrole/zz_controller.go +++ b/internal/controller/terraform/cloudsecretrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/terraform/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.CloudSecretRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_terraform_cloud_secret_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.CloudSecretRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.CloudSecretRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.CloudSecretRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.CloudSecretRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.CloudSecretRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.CloudSecretRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.CloudSecretRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.CloudSecretRole{}, o.EventHandler). + Watches(&v1alpha1.CloudSecretRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/token/authbackendrole/zz_controller.go b/internal/controller/token/authbackendrole/zz_controller.go index e5d7eb68..f6c1aecc 100755 --- a/internal/controller/token/authbackendrole/zz_controller.go +++ b/internal/controller/token/authbackendrole/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/token/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.AuthBackendRole_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_token_auth_backend_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_token_auth_backend_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.AuthBackendRole_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.AuthBackendRole + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.AuthBackendRole{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.AuthBackendRole") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuthBackendRoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuthBackendRoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.AuthBackendRole_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.AuthBackendRole{}, o.EventHandler). + Watches(&v1alpha1.AuthBackendRole{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/transform/alphabet/zz_controller.go b/internal/controller/transform/alphabet/zz_controller.go index 2bf2215c..529374a3 100755 --- a/internal/controller/transform/alphabet/zz_controller.go +++ b/internal/controller/transform/alphabet/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/transform/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Alphabet_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Alphabet_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Alphabet_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_alphabet"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_transform_alphabet"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Alphabet_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Alphabet + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Alphabet{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Alphabet") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AlphabetList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AlphabetList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Alphabet_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Alphabet{}, o.EventHandler). + Watches(&v1alpha1.Alphabet{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/transform/role/zz_controller.go b/internal/controller/transform/role/zz_controller.go index fcb70535..c915ef2f 100755 --- a/internal/controller/transform/role/zz_controller.go +++ b/internal/controller/transform/role/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/transform/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Role_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Role_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Role_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_role"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_transform_role"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Role_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Role + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Role{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Role") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.RoleList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.RoleList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Role_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Role{}, o.EventHandler). + Watches(&v1alpha1.Role{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/transform/template/zz_controller.go b/internal/controller/transform/template/zz_controller.go index c70178a6..b172d14b 100755 --- a/internal/controller/transform/template/zz_controller.go +++ b/internal/controller/transform/template/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/transform/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Template_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Template_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Template_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_template"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_transform_template"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Template_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Template + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Template{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Template") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.TemplateList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.TemplateList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Template_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Template{}, o.EventHandler). + Watches(&v1alpha1.Template{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/transform/transformation/zz_controller.go b/internal/controller/transform/transformation/zz_controller.go index b512df12..6d469caf 100755 --- a/internal/controller/transform/transformation/zz_controller.go +++ b/internal/controller/transform/transformation/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/transform/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Transformation_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Transformation_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Transformation_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transform_transformation"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_transform_transformation"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Transformation_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Transformation + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Transformation{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Transformation") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.TransformationList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.TransformationList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Transformation_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Transformation{}, o.EventHandler). + Watches(&v1alpha1.Transformation{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/transit/secretbackendkey/zz_controller.go b/internal/controller/transit/secretbackendkey/zz_controller.go index f6541852..bc5ca219 100755 --- a/internal/controller/transit/secretbackendkey/zz_controller.go +++ b/internal/controller/transit/secretbackendkey/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/transit/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendKey_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.SecretBackendKey_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendKey_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_transit_secret_backend_key"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_transit_secret_backend_key"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.SecretBackendKey_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.SecretBackendKey + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.SecretBackendKey{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.SecretBackendKey") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.SecretBackendKeyList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.SecretBackendKeyList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.SecretBackendKey_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.SecretBackendKey{}, o.EventHandler). + Watches(&v1alpha1.SecretBackendKey{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/vault/audit/zz_controller.go b/internal/controller/vault/audit/zz_controller.go index dde56dd6..03680781 100755 --- a/internal/controller/vault/audit/zz_controller.go +++ b/internal/controller/vault/audit/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Audit_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Audit_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Audit_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_audit"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_audit"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Audit_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Audit + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Audit{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Audit") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.AuditList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.AuditList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Audit_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Audit{}, o.EventHandler). + Watches(&v1alpha1.Audit{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/vault/mount/zz_controller.go b/internal/controller/vault/mount/zz_controller.go index 4f80fddb..1d892890 100755 --- a/internal/controller/vault/mount/zz_controller.go +++ b/internal/controller/vault/mount/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Mount_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Mount_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Mount_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_mount"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_mount"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Mount_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Mount + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Mount{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Mount") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.MountList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.MountList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Mount_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Mount{}, o.EventHandler). + Watches(&v1alpha1.Mount{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/vault/policy/zz_controller.go b/internal/controller/vault/policy/zz_controller.go index 861826d3..efc1d6dd 100755 --- a/internal/controller/vault/policy/zz_controller.go +++ b/internal/controller/vault/policy/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Policy_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_policy"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_policy"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Policy_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Policy + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Policy{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Policy") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.PolicyList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.PolicyList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Policy_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Policy{}, o.EventHandler). + Watches(&v1alpha1.Policy{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/vault/token/zz_controller.go b/internal/controller/vault/token/zz_controller.go index 38d95e92..2c7668bb 100755 --- a/internal/controller/vault/token/zz_controller.go +++ b/internal/controller/vault/token/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Token_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.Token_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.Token_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_token"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_token"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.Token_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.Token + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.Token{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.Token") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.TokenList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.TokenList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.Token_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.Token{}, o.EventHandler). + Watches(&v1alpha1.Token{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/vault/vaultnamespace/zz_controller.go b/internal/controller/vault/vaultnamespace/zz_controller.go index 9cb90daf..78cbb9bd 100755 --- a/internal/controller/vault/vaultnamespace/zz_controller.go +++ b/internal/controller/vault/vaultnamespace/zz_controller.go @@ -14,8 +14,11 @@ import ( "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" - tjcontroller "github.com/upbound/upjet/pkg/controller" - "github.com/upbound/upjet/pkg/terraform" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" ctrl "sigs.k8s.io/controller-runtime" v1alpha1 "github.com/upbound/provider-vault/apis/vault/v1alpha1" @@ -30,28 +33,59 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { if o.SecretStoreConfigGVK != nil { cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) } - ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.VaultNamespace_GroupVersionKind), tjcontroller.WithEventHandler(o.EventHandler)) + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.VaultNamespace_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.VaultNamespace_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) opts := []managed.ReconcilerOption{ - managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["vault_namespace"], tjcontroller.WithLogger(o.Logger), tjcontroller.WithConnectorEventHandler(o.EventHandler), - tjcontroller.WithCallbackProvider(ac), - )), + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["vault_namespace"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.VaultNamespace_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), managed.WithLogger(o.Logger.WithValues("controller", name)), managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), - managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), managed.WithTimeout(3 * time.Minute), managed.WithInitializers(initializers), managed.WithConnectionPublishers(cps...), managed.WithPollInterval(o.PollInterval), } - if o.Features.Enabled(features.EnableAlphaManagementPolicies) { + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { opts = append(opts, managed.WithManagementPolicies()) } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.VaultNamespace + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.VaultNamespace{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.VaultNamespace") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.VaultNamespaceList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.VaultNamespaceList") + } + } + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.VaultNamespace_GroupVersionKind), opts...) return ctrl.NewControllerManagedBy(mgr). Named(name). WithOptions(o.ForControllerRuntime()). WithEventFilter(xpresource.DesiredStateChanged()). - Watches(&v1alpha1.VaultNamespace{}, o.EventHandler). + Watches(&v1alpha1.VaultNamespace{}, eventHandler). Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) } diff --git a/internal/controller/zz_setup.go b/internal/controller/zz_setup.go index c9aba4d9..77f1defb 100755 --- a/internal/controller/zz_setup.go +++ b/internal/controller/zz_setup.go @@ -1,5 +1,5 @@ /* -Copyright 2021 Upbound Inc. +Copyright 2022 Upbound Inc. */ package controller @@ -7,7 +7,7 @@ package controller import ( ctrl "sigs.k8s.io/controller-runtime" - "github.com/upbound/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller" secretbackend "github.com/upbound/provider-vault/internal/controller/ad/secretbackend" secretrole "github.com/upbound/provider-vault/internal/controller/ad/secretrole" diff --git a/internal/features/features.go b/internal/features/features.go index 1b37951b..bcc2078e 100644 --- a/internal/features/features.go +++ b/internal/features/features.go @@ -16,5 +16,5 @@ const ( // EnableAlphaManagementPolicies enables alpha support for // Management Policies. See the below design for more details. // https://github.com/crossplane/crossplane/pull/3531 - EnableAlphaManagementPolicies feature.Flag = "EnableAlphaManagementPolicies" + EnableBetaManagementPolicies feature.Flag = "EnableBetaManagementPolicies" ) diff --git a/package/crds/ad.vault.upbound.io_secretbackends.yaml b/package/crds/ad.vault.upbound.io_secretbackends.yaml index 1268ea9c..642b3be3 100644 --- a/package/crds/ad.vault.upbound.io_secretbackends.yaml +++ b/package/crds/ad.vault.upbound.io_secretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackends.ad.vault.upbound.io spec: group: ad.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: an Active Directory secret backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,26 +74,26 @@ spec: forProvider: properties: anonymousGroupSearch: - description: Use anonymous binds when performing LDAP group searches - (if true the initial credentials will still be used for the - initial connection test). Use anonymous binds when performing - LDAP group searches (if true the initial credentials will still - be used for the initial connection test). + description: |- + Use anonymous binds when performing LDAP group searches + (if true the initial credentials will still be used for the initial connection test). + Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test). type: boolean backend: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to ad. The mount path - for a backend, for example, the path given in "$ vault auth - enable -path=my-ad ad". + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to ad. + The mount path for a backend, for example, the path given in "$ vault auth enable -path=my-ad ad". type: string binddn: - description: Distinguished name of object to bind when performing - user and group search. Distinguished name of object to bind - when performing user and group search. + description: |- + Distinguished name of object to bind when performing user and group search. + Distinguished name of object to bind when performing user and group search. type: string bindpassSecretRef: - description: Password to use along with binddn when performing - user search. LDAP password for searching for the user DN. + description: |- + Password to use along with binddn when performing user search. + LDAP password for searching for the user DN. properties: key: description: The key to select. @@ -104,21 +110,21 @@ spec: - namespace type: object caseSensitiveNames: - description: If set, user and group names assigned to policies - within the backend will be case sensitive. Otherwise, names - will be normalized to lower case. If true, case sensitivity - will be used when comparing usernames and groups for matching - policies. + description: |- + If set, user and group names assigned to policies within the + backend will be case sensitive. Otherwise, names will be normalized to lower case. + If true, case sensitivity will be used when comparing usernames and groups for matching policies. type: boolean certificate: - description: CA certificate to use when verifying LDAP server - certificate, must be x509 PEM encoded. CA certificate to use - when verifying LDAP server certificate, must be x509 PEM encoded. + description: |- + CA certificate to use when verifying LDAP server certificate, must be + x509 PEM encoded. + CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. type: string clientTlsCertSecretRef: - description: Client certificate to provide to the LDAP server, - must be x509 PEM encoded. Client certificate to provide to the - LDAP server, must be x509 PEM encoded. + description: |- + Client certificate to provide to the LDAP server, must be x509 PEM encoded. + Client certificate to provide to the LDAP server, must be x509 PEM encoded. properties: key: description: The key to select. @@ -135,9 +141,9 @@ spec: - namespace type: object clientTlsKeySecretRef: - description: Client certificate key to provide to the LDAP server, - must be x509 PEM encoded. Client certificate key to provide - to the LDAP server, must be x509 PEM encoded. + description: |- + Client certificate key to provide to the LDAP server, must be x509 PEM encoded. + Client certificate key to provide to the LDAP server, must be x509 PEM encoded. properties: key: description: The key to select. @@ -154,401 +160,426 @@ spec: - namespace type: object defaultLeaseTtlSeconds: - description: Default lease duration for secrets in seconds. Default - lease duration for secrets in seconds + description: |- + Default lease duration for secrets in seconds. + Default lease duration for secrets in seconds type: number denyNullBind: - description: Denies an unauthenticated LDAP bind request if the - user's password is empty; defaults to true. Denies an unauthenticated - LDAP bind request if the user's password is empty; defaults - to true + description: |- + Denies an unauthenticated LDAP bind request if the user's password is empty; + defaults to true. + Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true type: boolean description: - description: Human-friendly description of the mount for the Active - Directory backend. Human-friendly description of the mount for - the backend. + description: |- + Human-friendly description of the mount for the Active Directory backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean discoverdn: - description: Use anonymous bind to discover the bind Distinguished - Name of a user. Use anonymous bind to discover the bind DN of - a user. + description: |- + Use anonymous bind to discover the bind Distinguished Name of a user. + Use anonymous bind to discover the bind DN of a user. type: boolean - formatter: - description: Deprecated use password_policy. Text to insert the - password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text - to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - type: string groupattr: - description: 'LDAP attribute to follow on objects returned by in - order to enumerate user group membership. Examples: cn or memberOf, - etc. Defaults to cn. LDAP attribute to follow on objects returned - by in order to enumerate user group membership. - Examples: "cn" or "memberOf", etc. Default: cn' + description: |- + LDAP attribute to follow on objects returned by in order to enumerate + user group membership. Examples: cn or memberOf, etc. Defaults to cn. + LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn type: string groupdn: - description: 'LDAP search base to use for group membership search - (eg: ou=Groups,dc=example,dc=org). LDAP search base to use for - group membership search (eg: ou=Groups,dc=example,dc=org)' + description: |- + LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org). + LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org) type: string groupfilter: - description: 'Go template for querying group membership of user The - template can access the following context variables: UserDN, - Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) - Go template for querying group membership of user. The template - can access the following context variables: UserDN, Username - Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) - Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))' + description: |- + Go template for querying group membership of user The template can access + the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) + Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) type: string insecureTls: - description: Skip LDAP server SSL Certificate verification. This - is not recommended for production. Defaults to false. Skip LDAP - server SSL Certificate verification - insecure and not recommended - for production use. + description: |- + Skip LDAP server SSL Certificate verification. This is not recommended for production. + Defaults to false. + Skip LDAP server SSL Certificate verification - insecure and not recommended for production use. type: boolean lastRotationTolerance: - description: The number of seconds after a Vault rotation where, - if Active Directory shows a later rotation, it should be considered - out-of-band The number of seconds after a Vault rotation where, - if Active Directory shows a later rotation, it should be considered - out-of-band. - type: number - length: - description: Deprecated use password_policy. The desired length - of passwords that Vault generates. Mutually exclusive with The - desired length of passwords that Vault generates. + description: |- + The number of seconds after a Vault rotation where, if Active Directory + shows a later rotation, it should be considered out-of-band + The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band. type: number local: - description: Mark the secrets engine as local-only. Local engines - are not replicated or removed by replication.Tolerance duration - to use when checking the last rotation time. Mark the secrets - engine as local-only. Local engines are not replicated or removed - by replication.Tolerance duration to use when checking the last - rotation time. + description: |- + Mark the secrets engine as local-only. Local engines are not replicated or removed by + replication.Tolerance duration to use when checking the last rotation time. + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. type: boolean maxLeaseTtlSeconds: - description: Maximum possible lease duration for secrets in seconds. + description: |- + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. type: number maxTtl: - description: In seconds, the maximum password time-to-live. In - seconds, the maximum password time-to-live. + description: |- + In seconds, the maximum password time-to-live. + In seconds, the maximum password time-to-live. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string passwordPolicy: - description: 1.11+ Name of the password policy to use to generate - passwords. + description: |- + Name of the password policy to use to generate passwords. + Name of the password policy to use to generate passwords. type: string requestTimeout: - description: Timeout, in seconds, for the connection when making - requests against the server before returning back an error. - Timeout, in seconds, for the connection when making requests - against the server before returning back an error. + description: |- + Timeout, in seconds, for the connection when making requests against the server + before returning back an error. + Timeout, in seconds, for the connection when making requests against the server before returning back an error. type: number starttls: - description: Issue a StartTLS command after establishing unencrypted - connection. Issue a StartTLS command after establishing unencrypted - connection. + description: |- + Issue a StartTLS command after establishing unencrypted connection. + Issue a StartTLS command after establishing unencrypted connection. type: boolean tlsMaxVersion: - description: Maximum TLS version to use. Accepted values are tls10, - tls11, tls12 or tls13. Defaults to tls12. Maximum TLS version - to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. - Defaults to 'tls12' + description: |- + Maximum TLS version to use. Accepted values are tls10, tls11, + tls12 or tls13. Defaults to tls12. + Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' type: string tlsMinVersion: - description: Minimum TLS version to use. Accepted values are tls10, - tls11, tls12 or tls13. Defaults to tls12. Minimum TLS version - to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. - Defaults to 'tls12' + description: |- + Minimum TLS version to use. Accepted values are tls10, tls11, + tls12 or tls13. Defaults to tls12. + Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' type: string ttl: - description: In seconds, the default password time-to-live. In - seconds, the default password time-to-live. + description: |- + In seconds, the default password time-to-live. + In seconds, the default password time-to-live. type: number upndomain: - description: Enables userPrincipalDomain login with [username]@UPNDomain. + description: |- + Enables userPrincipalDomain login with [username]@UPNDomain. Enables userPrincipalDomain login with [username]@UPNDomain. type: string url: - description: 'LDAP URL to connect to. Multiple URLs can be specified - by concatenating them with commas; they will be tried in-order. - Defaults to ldap://127.0.0.1. LDAP URL to connect to (default: - ldap://127.0.0.1). Multiple URLs can be specified by concatenating - them with commas; they will be tried in-order.' + description: |- + LDAP URL to connect to. Multiple URLs can be specified by concatenating + them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1. + LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. type: string usePre111GroupCnBehavior: - description: In Vault 1.1.1 a fix for handling group CN values - of different cases unfortunately introduced a regression that - could cause previously defined groups to not be found due to - a change in the resulting name. If set true, the pre-1.1.1 behavior - for matching group CNs will be used. This is only needed in - some upgrade scenarios for backwards compatibility. It is enabled - by default if the config is upgraded but disabled by default - on new configurations. In Vault 1.1.1 a fix for handling group - CN values of different cases unfortunately introduced a regression - that could cause previously defined groups to not be found due - to a change in the resulting name. If set true, the pre-1.1.1 - behavior for matching group CNs will be used. This is only needed - in some upgrade scenarios for backwards compatibility. It is - enabled by default if the config is upgraded but disabled by - default on new configurations. + description: |- + In Vault 1.1.1 a fix for handling group CN values of + different cases unfortunately introduced a regression that could cause previously defined groups + to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for + matching group CNs will be used. This is only needed in some upgrade scenarios for backwards + compatibility. It is enabled by default if the config is upgraded but disabled by default on + new configurations. + In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations. type: boolean useTokenGroups: - description: If true, use the Active Directory tokenGroups constructed - attribute of the user to find the group memberships. This will - find all security groups including nested ones. If true, use - the Active Directory tokenGroups constructed attribute of the - user to find the group memberships. This will find all security - groups including nested ones. + description: |- + If true, use the Active Directory tokenGroups constructed attribute of the + user to find the group memberships. This will find all security groups including nested ones. + If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones. type: boolean userattr: - description: 'Attribute used when searching users. Defaults to - cn. Attribute used for users (default: cn)' + description: |- + Attribute used when searching users. Defaults to cn. + Attribute used for users (default: cn) type: string userdn: - description: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`. - LDAP domain to use for users (eg: ou=People,dc=example,dc=org)' + description: |- + LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`. + LDAP domain to use for users (eg: ou=People,dc=example,dc=org) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: anonymousGroupSearch: - description: Use anonymous binds when performing LDAP group searches - (if true the initial credentials will still be used for the - initial connection test). Use anonymous binds when performing - LDAP group searches (if true the initial credentials will still - be used for the initial connection test). + description: |- + Use anonymous binds when performing LDAP group searches + (if true the initial credentials will still be used for the initial connection test). + Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test). type: boolean backend: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to ad. The mount path - for a backend, for example, the path given in "$ vault auth - enable -path=my-ad ad". + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to ad. + The mount path for a backend, for example, the path given in "$ vault auth enable -path=my-ad ad". type: string binddn: - description: Distinguished name of object to bind when performing - user and group search. Distinguished name of object to bind - when performing user and group search. + description: |- + Distinguished name of object to bind when performing user and group search. + Distinguished name of object to bind when performing user and group search. type: string + bindpassSecretRef: + description: |- + Password to use along with binddn when performing user search. + LDAP password for searching for the user DN. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object caseSensitiveNames: - description: If set, user and group names assigned to policies - within the backend will be case sensitive. Otherwise, names - will be normalized to lower case. If true, case sensitivity - will be used when comparing usernames and groups for matching - policies. + description: |- + If set, user and group names assigned to policies within the + backend will be case sensitive. Otherwise, names will be normalized to lower case. + If true, case sensitivity will be used when comparing usernames and groups for matching policies. type: boolean certificate: - description: CA certificate to use when verifying LDAP server - certificate, must be x509 PEM encoded. CA certificate to use - when verifying LDAP server certificate, must be x509 PEM encoded. + description: |- + CA certificate to use when verifying LDAP server certificate, must be + x509 PEM encoded. + CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. type: string + clientTlsCertSecretRef: + description: |- + Client certificate to provide to the LDAP server, must be x509 PEM encoded. + Client certificate to provide to the LDAP server, must be x509 PEM encoded. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + clientTlsKeySecretRef: + description: |- + Client certificate key to provide to the LDAP server, must be x509 PEM encoded. + Client certificate key to provide to the LDAP server, must be x509 PEM encoded. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object defaultLeaseTtlSeconds: - description: Default lease duration for secrets in seconds. Default - lease duration for secrets in seconds + description: |- + Default lease duration for secrets in seconds. + Default lease duration for secrets in seconds type: number denyNullBind: - description: Denies an unauthenticated LDAP bind request if the - user's password is empty; defaults to true. Denies an unauthenticated - LDAP bind request if the user's password is empty; defaults - to true + description: |- + Denies an unauthenticated LDAP bind request if the user's password is empty; + defaults to true. + Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true type: boolean description: - description: Human-friendly description of the mount for the Active - Directory backend. Human-friendly description of the mount for - the backend. + description: |- + Human-friendly description of the mount for the Active Directory backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean discoverdn: - description: Use anonymous bind to discover the bind Distinguished - Name of a user. Use anonymous bind to discover the bind DN of - a user. + description: |- + Use anonymous bind to discover the bind Distinguished Name of a user. + Use anonymous bind to discover the bind DN of a user. type: boolean - formatter: - description: Deprecated use password_policy. Text to insert the - password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text - to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - type: string groupattr: - description: 'LDAP attribute to follow on objects returned by in - order to enumerate user group membership. Examples: cn or memberOf, - etc. Defaults to cn. LDAP attribute to follow on objects returned - by in order to enumerate user group membership. - Examples: "cn" or "memberOf", etc. Default: cn' + description: |- + LDAP attribute to follow on objects returned by in order to enumerate + user group membership. Examples: cn or memberOf, etc. Defaults to cn. + LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn type: string groupdn: - description: 'LDAP search base to use for group membership search - (eg: ou=Groups,dc=example,dc=org). LDAP search base to use for - group membership search (eg: ou=Groups,dc=example,dc=org)' + description: |- + LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org). + LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org) type: string groupfilter: - description: 'Go template for querying group membership of user The - template can access the following context variables: UserDN, - Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) - Go template for querying group membership of user. The template - can access the following context variables: UserDN, Username - Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) - Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))' + description: |- + Go template for querying group membership of user The template can access + the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) + Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) type: string insecureTls: - description: Skip LDAP server SSL Certificate verification. This - is not recommended for production. Defaults to false. Skip LDAP - server SSL Certificate verification - insecure and not recommended - for production use. + description: |- + Skip LDAP server SSL Certificate verification. This is not recommended for production. + Defaults to false. + Skip LDAP server SSL Certificate verification - insecure and not recommended for production use. type: boolean lastRotationTolerance: - description: The number of seconds after a Vault rotation where, - if Active Directory shows a later rotation, it should be considered - out-of-band The number of seconds after a Vault rotation where, - if Active Directory shows a later rotation, it should be considered - out-of-band. - type: number - length: - description: Deprecated use password_policy. The desired length - of passwords that Vault generates. Mutually exclusive with The - desired length of passwords that Vault generates. + description: |- + The number of seconds after a Vault rotation where, if Active Directory + shows a later rotation, it should be considered out-of-band + The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band. type: number local: - description: Mark the secrets engine as local-only. Local engines - are not replicated or removed by replication.Tolerance duration - to use when checking the last rotation time. Mark the secrets - engine as local-only. Local engines are not replicated or removed - by replication.Tolerance duration to use when checking the last - rotation time. + description: |- + Mark the secrets engine as local-only. Local engines are not replicated or removed by + replication.Tolerance duration to use when checking the last rotation time. + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. type: boolean maxLeaseTtlSeconds: - description: Maximum possible lease duration for secrets in seconds. + description: |- + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. type: number maxTtl: - description: In seconds, the maximum password time-to-live. In - seconds, the maximum password time-to-live. + description: |- + In seconds, the maximum password time-to-live. + In seconds, the maximum password time-to-live. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string passwordPolicy: - description: 1.11+ Name of the password policy to use to generate - passwords. + description: |- + Name of the password policy to use to generate passwords. + Name of the password policy to use to generate passwords. type: string requestTimeout: - description: Timeout, in seconds, for the connection when making - requests against the server before returning back an error. - Timeout, in seconds, for the connection when making requests - against the server before returning back an error. + description: |- + Timeout, in seconds, for the connection when making requests against the server + before returning back an error. + Timeout, in seconds, for the connection when making requests against the server before returning back an error. type: number starttls: - description: Issue a StartTLS command after establishing unencrypted - connection. Issue a StartTLS command after establishing unencrypted - connection. + description: |- + Issue a StartTLS command after establishing unencrypted connection. + Issue a StartTLS command after establishing unencrypted connection. type: boolean tlsMaxVersion: - description: Maximum TLS version to use. Accepted values are tls10, - tls11, tls12 or tls13. Defaults to tls12. Maximum TLS version - to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. - Defaults to 'tls12' + description: |- + Maximum TLS version to use. Accepted values are tls10, tls11, + tls12 or tls13. Defaults to tls12. + Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' type: string tlsMinVersion: - description: Minimum TLS version to use. Accepted values are tls10, - tls11, tls12 or tls13. Defaults to tls12. Minimum TLS version - to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. - Defaults to 'tls12' + description: |- + Minimum TLS version to use. Accepted values are tls10, tls11, + tls12 or tls13. Defaults to tls12. + Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' type: string ttl: - description: In seconds, the default password time-to-live. In - seconds, the default password time-to-live. + description: |- + In seconds, the default password time-to-live. + In seconds, the default password time-to-live. type: number upndomain: - description: Enables userPrincipalDomain login with [username]@UPNDomain. + description: |- + Enables userPrincipalDomain login with [username]@UPNDomain. Enables userPrincipalDomain login with [username]@UPNDomain. type: string url: - description: 'LDAP URL to connect to. Multiple URLs can be specified - by concatenating them with commas; they will be tried in-order. - Defaults to ldap://127.0.0.1. LDAP URL to connect to (default: - ldap://127.0.0.1). Multiple URLs can be specified by concatenating - them with commas; they will be tried in-order.' + description: |- + LDAP URL to connect to. Multiple URLs can be specified by concatenating + them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1. + LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. type: string usePre111GroupCnBehavior: - description: In Vault 1.1.1 a fix for handling group CN values - of different cases unfortunately introduced a regression that - could cause previously defined groups to not be found due to - a change in the resulting name. If set true, the pre-1.1.1 behavior - for matching group CNs will be used. This is only needed in - some upgrade scenarios for backwards compatibility. It is enabled - by default if the config is upgraded but disabled by default - on new configurations. In Vault 1.1.1 a fix for handling group - CN values of different cases unfortunately introduced a regression - that could cause previously defined groups to not be found due - to a change in the resulting name. If set true, the pre-1.1.1 - behavior for matching group CNs will be used. This is only needed - in some upgrade scenarios for backwards compatibility. It is - enabled by default if the config is upgraded but disabled by - default on new configurations. + description: |- + In Vault 1.1.1 a fix for handling group CN values of + different cases unfortunately introduced a regression that could cause previously defined groups + to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for + matching group CNs will be used. This is only needed in some upgrade scenarios for backwards + compatibility. It is enabled by default if the config is upgraded but disabled by default on + new configurations. + In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations. type: boolean useTokenGroups: - description: If true, use the Active Directory tokenGroups constructed - attribute of the user to find the group memberships. This will - find all security groups including nested ones. If true, use - the Active Directory tokenGroups constructed attribute of the - user to find the group memberships. This will find all security - groups including nested ones. + description: |- + If true, use the Active Directory tokenGroups constructed attribute of the + user to find the group memberships. This will find all security groups including nested ones. + If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones. type: boolean userattr: - description: 'Attribute used when searching users. Defaults to - cn. Attribute used for users (default: cn)' + description: |- + Attribute used when searching users. Defaults to cn. + Attribute used for users (default: cn) type: string userdn: - description: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`. - LDAP domain to use for users (eg: ou=People,dc=example,dc=org)' + description: |- + LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`. + LDAP domain to use for users (eg: ou=People,dc=example,dc=org) type: string + required: + - bindpassSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -561,45 +592,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -609,21 +605,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -633,17 +629,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -653,21 +651,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -682,21 +680,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -707,14 +706,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -730,11 +730,11 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: binddn is a required parameter + - message: spec.forProvider.binddn is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.binddn) - || has(self.initProvider.binddn)' - - message: bindpassSecretRef is a required parameter + || (has(self.initProvider) && has(self.initProvider.binddn))' + - message: spec.forProvider.bindpassSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.bindpassSecretRef)' status: @@ -743,203 +743,185 @@ spec: atProvider: properties: anonymousGroupSearch: - description: Use anonymous binds when performing LDAP group searches - (if true the initial credentials will still be used for the - initial connection test). Use anonymous binds when performing - LDAP group searches (if true the initial credentials will still - be used for the initial connection test). + description: |- + Use anonymous binds when performing LDAP group searches + (if true the initial credentials will still be used for the initial connection test). + Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test). type: boolean backend: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to ad. The mount path - for a backend, for example, the path given in "$ vault auth - enable -path=my-ad ad". + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to ad. + The mount path for a backend, for example, the path given in "$ vault auth enable -path=my-ad ad". type: string binddn: - description: Distinguished name of object to bind when performing - user and group search. Distinguished name of object to bind - when performing user and group search. + description: |- + Distinguished name of object to bind when performing user and group search. + Distinguished name of object to bind when performing user and group search. type: string caseSensitiveNames: - description: If set, user and group names assigned to policies - within the backend will be case sensitive. Otherwise, names - will be normalized to lower case. If true, case sensitivity - will be used when comparing usernames and groups for matching - policies. + description: |- + If set, user and group names assigned to policies within the + backend will be case sensitive. Otherwise, names will be normalized to lower case. + If true, case sensitivity will be used when comparing usernames and groups for matching policies. type: boolean certificate: - description: CA certificate to use when verifying LDAP server - certificate, must be x509 PEM encoded. CA certificate to use - when verifying LDAP server certificate, must be x509 PEM encoded. + description: |- + CA certificate to use when verifying LDAP server certificate, must be + x509 PEM encoded. + CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. type: string defaultLeaseTtlSeconds: - description: Default lease duration for secrets in seconds. Default - lease duration for secrets in seconds + description: |- + Default lease duration for secrets in seconds. + Default lease duration for secrets in seconds type: number denyNullBind: - description: Denies an unauthenticated LDAP bind request if the - user's password is empty; defaults to true. Denies an unauthenticated - LDAP bind request if the user's password is empty; defaults - to true + description: |- + Denies an unauthenticated LDAP bind request if the user's password is empty; + defaults to true. + Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true type: boolean description: - description: Human-friendly description of the mount for the Active - Directory backend. Human-friendly description of the mount for - the backend. + description: |- + Human-friendly description of the mount for the Active Directory backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean discoverdn: - description: Use anonymous bind to discover the bind Distinguished - Name of a user. Use anonymous bind to discover the bind DN of - a user. + description: |- + Use anonymous bind to discover the bind Distinguished Name of a user. + Use anonymous bind to discover the bind DN of a user. type: boolean - formatter: - description: Deprecated use password_policy. Text to insert the - password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text - to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - type: string groupattr: - description: 'LDAP attribute to follow on objects returned by in - order to enumerate user group membership. Examples: cn or memberOf, - etc. Defaults to cn. LDAP attribute to follow on objects returned - by in order to enumerate user group membership. - Examples: "cn" or "memberOf", etc. Default: cn' + description: |- + LDAP attribute to follow on objects returned by in order to enumerate + user group membership. Examples: cn or memberOf, etc. Defaults to cn. + LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn type: string groupdn: - description: 'LDAP search base to use for group membership search - (eg: ou=Groups,dc=example,dc=org). LDAP search base to use for - group membership search (eg: ou=Groups,dc=example,dc=org)' + description: |- + LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org). + LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org) type: string groupfilter: - description: 'Go template for querying group membership of user The - template can access the following context variables: UserDN, - Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) - Go template for querying group membership of user. The template - can access the following context variables: UserDN, Username - Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) - Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))' + description: |- + Go template for querying group membership of user The template can access + the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) + Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) type: string id: type: string insecureTls: - description: Skip LDAP server SSL Certificate verification. This - is not recommended for production. Defaults to false. Skip LDAP - server SSL Certificate verification - insecure and not recommended - for production use. + description: |- + Skip LDAP server SSL Certificate verification. This is not recommended for production. + Defaults to false. + Skip LDAP server SSL Certificate verification - insecure and not recommended for production use. type: boolean lastRotationTolerance: - description: The number of seconds after a Vault rotation where, - if Active Directory shows a later rotation, it should be considered - out-of-band The number of seconds after a Vault rotation where, - if Active Directory shows a later rotation, it should be considered - out-of-band. - type: number - length: - description: Deprecated use password_policy. The desired length - of passwords that Vault generates. Mutually exclusive with The - desired length of passwords that Vault generates. + description: |- + The number of seconds after a Vault rotation where, if Active Directory + shows a later rotation, it should be considered out-of-band + The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band. type: number local: - description: Mark the secrets engine as local-only. Local engines - are not replicated or removed by replication.Tolerance duration - to use when checking the last rotation time. Mark the secrets - engine as local-only. Local engines are not replicated or removed - by replication.Tolerance duration to use when checking the last - rotation time. + description: |- + Mark the secrets engine as local-only. Local engines are not replicated or removed by + replication.Tolerance duration to use when checking the last rotation time. + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. type: boolean maxLeaseTtlSeconds: - description: Maximum possible lease duration for secrets in seconds. + description: |- + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. type: number maxTtl: - description: In seconds, the maximum password time-to-live. In - seconds, the maximum password time-to-live. + description: |- + In seconds, the maximum password time-to-live. + In seconds, the maximum password time-to-live. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string passwordPolicy: - description: 1.11+ Name of the password policy to use to generate - passwords. + description: |- + Name of the password policy to use to generate passwords. + Name of the password policy to use to generate passwords. type: string requestTimeout: - description: Timeout, in seconds, for the connection when making - requests against the server before returning back an error. - Timeout, in seconds, for the connection when making requests - against the server before returning back an error. + description: |- + Timeout, in seconds, for the connection when making requests against the server + before returning back an error. + Timeout, in seconds, for the connection when making requests against the server before returning back an error. type: number starttls: - description: Issue a StartTLS command after establishing unencrypted - connection. Issue a StartTLS command after establishing unencrypted - connection. + description: |- + Issue a StartTLS command after establishing unencrypted connection. + Issue a StartTLS command after establishing unencrypted connection. type: boolean tlsMaxVersion: - description: Maximum TLS version to use. Accepted values are tls10, - tls11, tls12 or tls13. Defaults to tls12. Maximum TLS version - to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. - Defaults to 'tls12' + description: |- + Maximum TLS version to use. Accepted values are tls10, tls11, + tls12 or tls13. Defaults to tls12. + Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' type: string tlsMinVersion: - description: Minimum TLS version to use. Accepted values are tls10, - tls11, tls12 or tls13. Defaults to tls12. Minimum TLS version - to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. - Defaults to 'tls12' + description: |- + Minimum TLS version to use. Accepted values are tls10, tls11, + tls12 or tls13. Defaults to tls12. + Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' type: string ttl: - description: In seconds, the default password time-to-live. In - seconds, the default password time-to-live. + description: |- + In seconds, the default password time-to-live. + In seconds, the default password time-to-live. type: number upndomain: - description: Enables userPrincipalDomain login with [username]@UPNDomain. + description: |- + Enables userPrincipalDomain login with [username]@UPNDomain. Enables userPrincipalDomain login with [username]@UPNDomain. type: string url: - description: 'LDAP URL to connect to. Multiple URLs can be specified - by concatenating them with commas; they will be tried in-order. - Defaults to ldap://127.0.0.1. LDAP URL to connect to (default: - ldap://127.0.0.1). Multiple URLs can be specified by concatenating - them with commas; they will be tried in-order.' + description: |- + LDAP URL to connect to. Multiple URLs can be specified by concatenating + them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1. + LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. type: string usePre111GroupCnBehavior: - description: In Vault 1.1.1 a fix for handling group CN values - of different cases unfortunately introduced a regression that - could cause previously defined groups to not be found due to - a change in the resulting name. If set true, the pre-1.1.1 behavior - for matching group CNs will be used. This is only needed in - some upgrade scenarios for backwards compatibility. It is enabled - by default if the config is upgraded but disabled by default - on new configurations. In Vault 1.1.1 a fix for handling group - CN values of different cases unfortunately introduced a regression - that could cause previously defined groups to not be found due - to a change in the resulting name. If set true, the pre-1.1.1 - behavior for matching group CNs will be used. This is only needed - in some upgrade scenarios for backwards compatibility. It is - enabled by default if the config is upgraded but disabled by - default on new configurations. + description: |- + In Vault 1.1.1 a fix for handling group CN values of + different cases unfortunately introduced a regression that could cause previously defined groups + to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for + matching group CNs will be used. This is only needed in some upgrade scenarios for backwards + compatibility. It is enabled by default if the config is upgraded but disabled by default on + new configurations. + In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations. type: boolean useTokenGroups: - description: If true, use the Active Directory tokenGroups constructed - attribute of the user to find the group memberships. This will - find all security groups including nested ones. If true, use - the Active Directory tokenGroups constructed attribute of the - user to find the group memberships. This will find all security - groups including nested ones. + description: |- + If true, use the Active Directory tokenGroups constructed attribute of the + user to find the group memberships. This will find all security groups including nested ones. + If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones. type: boolean userattr: - description: 'Attribute used when searching users. Defaults to - cn. Attribute used for users (default: cn)' + description: |- + Attribute used when searching users. Defaults to cn. + Attribute used for users (default: cn) type: string userdn: - description: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`. - LDAP domain to use for users (eg: ou=People,dc=example,dc=org)' + description: |- + LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`. + LDAP domain to use for users (eg: ou=People,dc=example,dc=org) type: string type: object conditions: @@ -948,14 +930,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -965,8 +956,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -975,6 +967,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/ad.vault.upbound.io_secretroles.yaml b/package/crds/ad.vault.upbound.io_secretroles.yaml index b26aa862..4366e565 100644 --- a/package/crds/ad.vault.upbound.io_secretroles.yaml +++ b/package/crds/ad.vault.upbound.io_secretroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretroles.ad.vault.upbound.io spec: group: ad.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: on the Active Directory Secret Backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,87 +74,250 @@ spec: forProvider: properties: backend: - description: The path the AD secret backend is mounted at, with - no leading or trailing /s. The mount path for the AD backend. + description: |- + The path the AD secret backend is mounted at, + with no leading or trailing /s. + The mount path for the AD backend. type: string + backendRef: + description: Reference to a SecretBackend in ad to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in ad to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: - description: The name to identify this role within the backend. - Must be unique within the backend. Name of the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Name of the role. type: string serviceAccountName: - description: Specifies the name of the Active Directory service - account mapped to this role. The username/logon name for the - service account with which this role will be associated. + description: |- + Specifies the name of the Active Directory service + account mapped to this role. + The username/logon name for the service account with which this role will be associated. type: string ttl: - description: The password time-to-live in seconds. Defaults to - the configuration ttl if not provided. In seconds, the default - password time-to-live. + description: |- + The password time-to-live in seconds. Defaults to the configuration + ttl if not provided. + In seconds, the default password time-to-live. type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The path the AD secret backend is mounted at, with - no leading or trailing /s. The mount path for the AD backend. + description: |- + The path the AD secret backend is mounted at, + with no leading or trailing /s. + The mount path for the AD backend. type: string + backendRef: + description: Reference to a SecretBackend in ad to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in ad to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: - description: The name to identify this role within the backend. - Must be unique within the backend. Name of the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Name of the role. type: string serviceAccountName: - description: Specifies the name of the Active Directory service - account mapped to this role. The username/logon name for the - service account with which this role will be associated. + description: |- + Specifies the name of the Active Directory service + account mapped to this role. + The username/logon name for the service account with which this role will be associated. type: string ttl: - description: The password time-to-live in seconds. Defaults to - the configuration ttl if not provided. In seconds, the default - password time-to-live. + description: |- + The password time-to-live in seconds. Defaults to the configuration + ttl if not provided. + In seconds, the default password time-to-live. type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -161,9 +330,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -173,57 +343,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -233,17 +367,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -253,21 +389,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -282,21 +418,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -307,14 +444,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -330,57 +468,62 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: role is a required parameter + - message: spec.forProvider.role is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.role) - || has(self.initProvider.role)' - - message: serviceAccountName is a required parameter + || (has(self.initProvider) && has(self.initProvider.role))' + - message: spec.forProvider.serviceAccountName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.serviceAccountName) - || has(self.initProvider.serviceAccountName)' + || (has(self.initProvider) && has(self.initProvider.serviceAccountName))' status: description: SecretRoleStatus defines the observed state of SecretRole. properties: atProvider: properties: backend: - description: The path the AD secret backend is mounted at, with - no leading or trailing /s. The mount path for the AD backend. + description: |- + The path the AD secret backend is mounted at, + with no leading or trailing /s. + The mount path for the AD backend. type: string id: type: string lastVaultRotation: - description: Timestamp of the last password rotation by Vault. + description: |- + Timestamp of the last password rotation by Vault. Last time Vault rotated this service account's password. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string passwordLastSet: - description: Timestamp of the last password set by Vault. Last - time Vault set this service account's password. + description: |- + Timestamp of the last password set by Vault. + Last time Vault set this service account's password. type: string role: - description: The name to identify this role within the backend. - Must be unique within the backend. Name of the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Name of the role. type: string serviceAccountName: - description: Specifies the name of the Active Directory service - account mapped to this role. The username/logon name for the - service account with which this role will be associated. + description: |- + Specifies the name of the Active Directory service + account mapped to this role. + The username/logon name for the service account with which this role will be associated. type: string ttl: - description: The password time-to-live in seconds. Defaults to - the configuration ttl if not provided. In seconds, the default - password time-to-live. + description: |- + The password time-to-live in seconds. Defaults to the configuration + ttl if not provided. + In seconds, the default password time-to-live. type: number type: object conditions: @@ -389,14 +532,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -406,8 +558,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -416,6 +569,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/alicloud.vault.upbound.io_authbackendroles.yaml b/package/crds/alicloud.vault.upbound.io_authbackendroles.yaml index ed9783d5..342f158e 100644 --- a/package/crds/alicloud.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/alicloud.vault.upbound.io_authbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroles.alicloud.vault.upbound.io spec: group: alicloud.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: roles in an AliCloud auth backend in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,191 +74,372 @@ spec: forProvider: properties: arn: - description: The role's arn. The role's arn. + description: |- + The role's arn. + The role's arn. type: string backend: - description: Path to the mounted AliCloud auth backend. Defaults - to alicloud Auth backend. + description: |- + Path to the mounted AliCloud auth backend. + Defaults to alicloud + Auth backend. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: - description: Name of the role. Must correspond with the name of - the role reflected in the arn. Name of the role. Must correspond - with the name of the role reflected in the arn. + description: |- + Name of the role. Must correspond with the name of + the role reflected in the arn. + Name of the role. Must correspond with the name of the role reflected in the arn. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: arn: - description: The role's arn. The role's arn. + description: |- + The role's arn. + The role's arn. type: string backend: - description: Path to the mounted AliCloud auth backend. Defaults - to alicloud Auth backend. + description: |- + Path to the mounted AliCloud auth backend. + Defaults to alicloud + Auth backend. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: - description: Name of the role. Must correspond with the name of - the role reflected in the arn. Name of the role. Must correspond - with the name of the role reflected in the arn. + description: |- + Name of the role. Must correspond with the name of + the role reflected in the arn. + Name of the role. Must correspond with the name of the role reflected in the arn. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -265,45 +452,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -313,21 +465,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -337,17 +489,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -357,21 +511,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -386,21 +540,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -411,14 +566,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -434,97 +590,113 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: arn is a required parameter + - message: spec.forProvider.arn is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.arn) - || has(self.initProvider.arn)' - - message: role is a required parameter + || (has(self.initProvider) && has(self.initProvider.arn))' + - message: spec.forProvider.role is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.role) - || has(self.initProvider.role)' + || (has(self.initProvider) && has(self.initProvider.role))' status: description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. properties: atProvider: properties: arn: - description: The role's arn. The role's arn. + description: |- + The role's arn. + The role's arn. type: string backend: - description: Path to the mounted AliCloud auth backend. Defaults - to alicloud Auth backend. + description: |- + Path to the mounted AliCloud auth backend. + Defaults to alicloud + Auth backend. type: string id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: - description: Name of the role. Must correspond with the name of - the role reflected in the arn. Name of the role. Must correspond - with the name of the role reflected in the arn. + description: |- + Name of the role. Must correspond with the name of + the role reflected in the arn. + Name of the role. Must correspond with the name of the role reflected in the arn. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object conditions: @@ -533,14 +705,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -550,8 +731,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -560,6 +742,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/approle.vault.upbound.io_authbackendlogins.yaml b/package/crds/approle.vault.upbound.io_authbackendlogins.yaml index 8398ac77..fbb13d95 100644 --- a/package/crds/approle.vault.upbound.io_authbackendlogins.yaml +++ b/package/crds/approle.vault.upbound.io_authbackendlogins.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendlogins.approle.vault.upbound.io spec: group: approle.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Log into Vault using the AppRole auth backend. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,24 +74,178 @@ spec: forProvider: properties: backend: - description: The unique path of the Vault backend to log in with. + description: |- + The unique path of the Vault backend to log in with. Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleId: - description: The ID of the role to log in with. The RoleID to - log in with. + description: |- + The ID of the role to log in with. + The RoleID to log in with. type: string + roleIdRef: + description: Reference to a AuthBackendRole in approle to populate + roleId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleIdSelector: + description: Selector for a AuthBackendRole in approle to populate + roleId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object secretIdSecretRef: - description: The secret ID of the role to log in with. Required - unless bind_secret_id is set to false on the role. The SecretID - to log in with. + description: |- + The secret ID of the role to log in with. Required + unless bind_secret_id is set to false on the role. + The SecretID to log in with. properties: key: description: The key to select. @@ -103,51 +263,225 @@ spec: type: object type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The unique path of the Vault backend to log in with. + description: |- + The unique path of the Vault backend to log in with. Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleId: - description: The ID of the role to log in with. The RoleID to - log in with. + description: |- + The ID of the role to log in with. + The RoleID to log in with. type: string + roleIdRef: + description: Reference to a AuthBackendRole in approle to populate + roleId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleIdSelector: + description: Selector for a AuthBackendRole in approle to populate + roleId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + secretIdSecretRef: + description: |- + The secret ID of the role to log in with. Required + unless bind_secret_id is set to false on the role. + The SecretID to log in with. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -160,45 +494,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -208,21 +507,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -232,17 +531,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -252,21 +553,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -281,21 +582,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -306,14 +608,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -328,29 +631,27 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: roleId is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.roleId) - || has(self.initProvider.roleId)' status: description: AuthBackendLoginStatus defines the observed state of AuthBackendLogin. properties: atProvider: properties: accessor: - description: The accessor for the token. The accessor for the - token. + description: |- + The accessor for the token. + The accessor for the token. type: string backend: - description: The unique path of the Vault backend to log in with. + description: |- + The unique path of the Vault backend to log in with. Unique name of the auth backend to configure. type: string id: type: string leaseDuration: - description: How long the token is valid for, in seconds. How - long the token is valid for. + description: |- + How long the token is valid for, in seconds. + How long the token is valid for. type: number leaseStarted: description: The date and time the lease started, in RFC 3339 @@ -359,29 +660,35 @@ spec: metadata: additionalProperties: type: string - description: The metadata associated with the token. Metadata - associated with the token. + description: |- + The metadata associated with the token. + Metadata associated with the token. type: object + x-kubernetes-map-type: granular namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: A list of policies applied to the token. Policies - set on the token. + description: |- + A list of policies applied to the token. + Policies set on the token. items: type: string type: array renewable: - description: Whether the token is renewable or not. Whether the - token is renewable or not. + description: |- + Whether the token is renewable or not. + Whether the token is renewable or not. type: boolean roleId: - description: The ID of the role to log in with. The RoleID to - log in with. + description: |- + The ID of the role to log in with. + The RoleID to log in with. type: string type: object conditions: @@ -390,14 +697,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -407,8 +723,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -417,6 +734,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/approle.vault.upbound.io_authbackendroles.yaml b/package/crds/approle.vault.upbound.io_authbackendroles.yaml index 1d4cafd8..821e1112 100644 --- a/package/crds/approle.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/approle.vault.upbound.io_authbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroles.approle.vault.upbound.io spec: group: approle.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: AppRole auth backend roles in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,241 +74,428 @@ spec: forProvider: properties: backend: - description: The unique name of the auth backend to configure. - Defaults to approle. Unique name of the auth backend to configure. + description: |- + The unique name of the auth backend to configure. + Defaults to approle. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object bindSecretId: - description: Whether or not to require secret_id to be presented - when logging in using this AppRole. Defaults to true. Whether - or not to require secret_id to be present when logging in using - this AppRole. + description: |- + Whether or not to require secret_id to be + presented when logging in using this AppRole. Defaults to true. + Whether or not to require secret_id to be present when logging in using this AppRole. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleId: - description: The RoleID of this role. If not specified, one will - be auto-generated. The RoleID of the role. Autogenerated if - not set. + description: |- + The RoleID of this role. If not specified, one will be + auto-generated. + The RoleID of the role. Autogenerated if not set. type: string roleName: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string secretIdBoundCidrs: - description: If set, specifies blocks of IP addresses which can - perform the login operation. List of CIDR blocks that can log - in using the AppRole. + description: |- + If set, + specifies blocks of IP addresses which can perform the login operation. + List of CIDR blocks that can log in using the AppRole. items: type: string type: array + x-kubernetes-list-type: set secretIdNumUses: - description: The number of times any particular SecretID can be - used to fetch a token from this AppRole, after which the SecretID - will expire. A value of zero will allow unlimited uses. Number - of times which a particular SecretID can be used to fetch a - token from this AppRole, after which the SecretID will expire. - Leaving this unset or setting it to 0 will allow unlimited uses. + description: |- + The number of times any particular SecretID + can be used to fetch a token from this AppRole, after which the SecretID will + expire. A value of zero will allow unlimited uses. + Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses. type: number secretIdTtl: - description: The number of seconds after which any SecretID expires. + description: |- + The number of seconds after which any SecretID + expires. Number of seconds a SecretID remains valid for. type: number tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The unique name of the auth backend to configure. - Defaults to approle. Unique name of the auth backend to configure. + description: |- + The unique name of the auth backend to configure. + Defaults to approle. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object bindSecretId: - description: Whether or not to require secret_id to be presented - when logging in using this AppRole. Defaults to true. Whether - or not to require secret_id to be present when logging in using - this AppRole. + description: |- + Whether or not to require secret_id to be + presented when logging in using this AppRole. Defaults to true. + Whether or not to require secret_id to be present when logging in using this AppRole. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleId: - description: The RoleID of this role. If not specified, one will - be auto-generated. The RoleID of the role. Autogenerated if - not set. + description: |- + The RoleID of this role. If not specified, one will be + auto-generated. + The RoleID of the role. Autogenerated if not set. type: string roleName: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string secretIdBoundCidrs: - description: If set, specifies blocks of IP addresses which can - perform the login operation. List of CIDR blocks that can log - in using the AppRole. + description: |- + If set, + specifies blocks of IP addresses which can perform the login operation. + List of CIDR blocks that can log in using the AppRole. items: type: string type: array + x-kubernetes-list-type: set secretIdNumUses: - description: The number of times any particular SecretID can be - used to fetch a token from this AppRole, after which the SecretID - will expire. A value of zero will allow unlimited uses. Number - of times which a particular SecretID can be used to fetch a - token from this AppRole, after which the SecretID will expire. - Leaving this unset or setting it to 0 will allow unlimited uses. + description: |- + The number of times any particular SecretID + can be used to fetch a token from this AppRole, after which the SecretID will + expire. A value of zero will allow unlimited uses. + Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses. type: number secretIdTtl: - description: The number of seconds after which any SecretID expires. + description: |- + The number of seconds after which any SecretID + expires. Number of seconds a SecretID remains valid for. type: number tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -315,45 +508,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -363,21 +521,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -387,17 +545,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -407,21 +567,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -436,21 +596,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -461,14 +622,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -484,118 +646,137 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: roleName is a required parameter + - message: spec.forProvider.roleName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName) - || has(self.initProvider.roleName)' + || (has(self.initProvider) && has(self.initProvider.roleName))' status: description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. properties: atProvider: properties: backend: - description: The unique name of the auth backend to configure. - Defaults to approle. Unique name of the auth backend to configure. + description: |- + The unique name of the auth backend to configure. + Defaults to approle. + Unique name of the auth backend to configure. type: string bindSecretId: - description: Whether or not to require secret_id to be presented - when logging in using this AppRole. Defaults to true. Whether - or not to require secret_id to be present when logging in using - this AppRole. + description: |- + Whether or not to require secret_id to be + presented when logging in using this AppRole. Defaults to true. + Whether or not to require secret_id to be present when logging in using this AppRole. type: boolean id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleId: - description: The RoleID of this role. If not specified, one will - be auto-generated. The RoleID of the role. Autogenerated if - not set. + description: |- + The RoleID of this role. If not specified, one will be + auto-generated. + The RoleID of the role. Autogenerated if not set. type: string roleName: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string secretIdBoundCidrs: - description: If set, specifies blocks of IP addresses which can - perform the login operation. List of CIDR blocks that can log - in using the AppRole. + description: |- + If set, + specifies blocks of IP addresses which can perform the login operation. + List of CIDR blocks that can log in using the AppRole. items: type: string type: array + x-kubernetes-list-type: set secretIdNumUses: - description: The number of times any particular SecretID can be - used to fetch a token from this AppRole, after which the SecretID - will expire. A value of zero will allow unlimited uses. Number - of times which a particular SecretID can be used to fetch a - token from this AppRole, after which the SecretID will expire. - Leaving this unset or setting it to 0 will allow unlimited uses. + description: |- + The number of times any particular SecretID + can be used to fetch a token from this AppRole, after which the SecretID will + expire. A value of zero will allow unlimited uses. + Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses. type: number secretIdTtl: - description: The number of seconds after which any SecretID expires. + description: |- + The number of seconds after which any SecretID + expires. Number of seconds a SecretID remains valid for. type: number tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object conditions: @@ -604,14 +785,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -621,8 +811,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -631,6 +822,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/approle.vault.upbound.io_authbackendrolesecretids.yaml b/package/crds/approle.vault.upbound.io_authbackendrolesecretids.yaml index adab14f8..6be05c4b 100644 --- a/package/crds/approle.vault.upbound.io_authbackendrolesecretids.yaml +++ b/package/crds/approle.vault.upbound.io_authbackendrolesecretids.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendrolesecretids.approle.vault.upbound.io spec: group: approle.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Manages AppRole auth backend role SecretIDs in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,13 +60,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -71,33 +77,189 @@ spec: backend: description: Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object cidrList: - description: If set, specifies blocks of IP addresses which can - perform the login operation using this SecretID. List of CIDR - blocks that can log in using the SecretID. + description: |- + If set, specifies blocks of IP addresses which can + perform the login operation using this SecretID. + List of CIDR blocks that can log in using the SecretID. items: type: string type: array + x-kubernetes-list-type: set metadata: - description: A JSON-encoded string containing metadata in key-value - pairs to be set on tokens issued with this SecretID. JSON-encoded - secret data to write. + description: |- + A JSON-encoded string containing metadata in + key-value pairs to be set on tokens issued with this SecretID. + JSON-encoded secret data to write. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleName: - description: The name of the role to create the SecretID for. + description: |- + The name of the role to create the SecretID for. Name of the role. type: string + roleNameRef: + description: Reference to a AuthBackendRole in approle to populate + roleName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleNameSelector: + description: Selector for a AuthBackendRole in approle to populate + roleName. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object secretIdSecretRef: - description: The SecretID to be created. If set, uses "Push" mode. Defaults - to Vault auto-generating SecretIDs. The SecretID to be managed. - If not specified, Vault auto-generates one. + description: |- + The SecretID to be created. If set, uses "Push" + mode. Defaults to Vault auto-generating SecretIDs. + The SecretID to be managed. If not specified, Vault auto-generates one. properties: key: description: The key to select. @@ -114,91 +276,269 @@ spec: - namespace type: object withWrappedAccessor: - description: Set to true to use the wrapped secret-id accessor - as the resource ID. If false (default value), a fresh secret - ID will be regenerated whenever the wrapping token is expired - or invalidated through unwrapping. Use the wrapped secret-id - accessor as the id of this resource. If false, a fresh secret-id - will be regenerated whenever the wrapping token is expired or + description: |- + Set to true to use the wrapped secret-id accessor as the resource ID. + If false (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. + Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. type: boolean wrappingTtl: - description: If set, the SecretID response will be response-wrapped - and available for the duration specified. Only a single unwrapping - of the token is allowed. The TTL duration of the wrapped SecretID. + description: |- + If set, the SecretID response will be + response-wrapped + and available for the duration specified. Only a single unwrapping of the + token is allowed. + The TTL duration of the wrapped SecretID. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: description: Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object cidrList: - description: If set, specifies blocks of IP addresses which can - perform the login operation using this SecretID. List of CIDR - blocks that can log in using the SecretID. + description: |- + If set, specifies blocks of IP addresses which can + perform the login operation using this SecretID. + List of CIDR blocks that can log in using the SecretID. items: type: string type: array + x-kubernetes-list-type: set metadata: - description: A JSON-encoded string containing metadata in key-value - pairs to be set on tokens issued with this SecretID. JSON-encoded - secret data to write. + description: |- + A JSON-encoded string containing metadata in + key-value pairs to be set on tokens issued with this SecretID. + JSON-encoded secret data to write. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleName: - description: The name of the role to create the SecretID for. + description: |- + The name of the role to create the SecretID for. Name of the role. type: string + roleNameRef: + description: Reference to a AuthBackendRole in approle to populate + roleName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleNameSelector: + description: Selector for a AuthBackendRole in approle to populate + roleName. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + secretIdSecretRef: + description: |- + The SecretID to be created. If set, uses "Push" + mode. Defaults to Vault auto-generating SecretIDs. + The SecretID to be managed. If not specified, Vault auto-generates one. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object withWrappedAccessor: - description: Set to true to use the wrapped secret-id accessor - as the resource ID. If false (default value), a fresh secret - ID will be regenerated whenever the wrapping token is expired - or invalidated through unwrapping. Use the wrapped secret-id - accessor as the id of this resource. If false, a fresh secret-id - will be regenerated whenever the wrapping token is expired or + description: |- + Set to true to use the wrapped secret-id accessor as the resource ID. + If false (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. + Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. type: boolean wrappingTtl: - description: If set, the SecretID response will be response-wrapped - and available for the duration specified. Only a single unwrapping - of the token is allowed. The TTL duration of the wrapped SecretID. + description: |- + If set, the SecretID response will be + response-wrapped + and available for the duration specified. Only a single unwrapping of the + token is allowed. + The TTL duration of the wrapped SecretID. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -211,45 +551,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -259,21 +564,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -283,17 +588,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -303,21 +610,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -332,21 +639,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -357,14 +665,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -379,11 +688,6 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: roleName is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName) - || has(self.initProvider.roleName)' status: description: AuthBackendRoleSecretIDStatus defines the observed state of AuthBackendRoleSecretID. @@ -391,54 +695,63 @@ spec: atProvider: properties: accessor: - description: The unique ID for this SecretID that can be safely - logged. The unique ID used to access this SecretID. + description: |- + The unique ID for this SecretID that can be safely logged. + The unique ID used to access this SecretID. type: string backend: description: Unique name of the auth backend to configure. type: string cidrList: - description: If set, specifies blocks of IP addresses which can - perform the login operation using this SecretID. List of CIDR - blocks that can log in using the SecretID. + description: |- + If set, specifies blocks of IP addresses which can + perform the login operation using this SecretID. + List of CIDR blocks that can log in using the SecretID. items: type: string type: array + x-kubernetes-list-type: set id: type: string metadata: - description: A JSON-encoded string containing metadata in key-value - pairs to be set on tokens issued with this SecretID. JSON-encoded - secret data to write. + description: |- + A JSON-encoded string containing metadata in + key-value pairs to be set on tokens issued with this SecretID. + JSON-encoded secret data to write. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleName: - description: The name of the role to create the SecretID for. + description: |- + The name of the role to create the SecretID for. Name of the role. type: string withWrappedAccessor: - description: Set to true to use the wrapped secret-id accessor - as the resource ID. If false (default value), a fresh secret - ID will be regenerated whenever the wrapping token is expired - or invalidated through unwrapping. Use the wrapped secret-id - accessor as the id of this resource. If false, a fresh secret-id - will be regenerated whenever the wrapping token is expired or + description: |- + Set to true to use the wrapped secret-id accessor as the resource ID. + If false (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. + Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. type: boolean wrappingAccessor: - description: The unique ID for the response-wrapped SecretID that - can be safely logged. The wrapped SecretID accessor. + description: |- + The unique ID for the response-wrapped SecretID that can + be safely logged. + The wrapped SecretID accessor. type: string wrappingTtl: - description: If set, the SecretID response will be response-wrapped - and available for the duration specified. Only a single unwrapping - of the token is allowed. The TTL duration of the wrapped SecretID. + description: |- + If set, the SecretID response will be + response-wrapped + and available for the duration specified. Only a single unwrapping of the + token is allowed. + The TTL duration of the wrapped SecretID. type: string type: object conditions: @@ -447,14 +760,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -464,8 +786,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -474,6 +797,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/audit.vault.upbound.io_requestheaders.yaml b/package/crds/audit.vault.upbound.io_requestheaders.yaml index 89c73c71..6374b219 100644 --- a/package/crds/audit.vault.upbound.io_requestheaders.yaml +++ b/package/crds/audit.vault.upbound.io_requestheaders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: requestheaders.audit.vault.upbound.io spec: group: audit.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: audited request headers in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,39 +74,41 @@ spec: forProvider: properties: hmac: - description: Whether this header's value should be HMAC'd in the - audit logs. Whether this header's value should be HMAC'd in - the audit logs. + description: |- + Whether this header's value should be HMAC'd in the audit logs. + Whether this header's value should be HMAC'd in the audit logs. type: boolean name: - description: The name of the request header to audit. The name - of the request header to audit. + description: |- + The name of the request header to audit. + The name of the request header to audit. type: string namespace: description: Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: hmac: - description: Whether this header's value should be HMAC'd in the - audit logs. Whether this header's value should be HMAC'd in - the audit logs. + description: |- + Whether this header's value should be HMAC'd in the audit logs. + Whether this header's value should be HMAC'd in the audit logs. type: boolean name: - description: The name of the request header to audit. The name - of the request header to audit. + description: |- + The name of the request header to audit. + The name of the request header to audit. type: string namespace: description: Target namespace. (requires Enterprise) @@ -109,20 +117,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -135,45 +144,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -183,21 +157,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -207,17 +181,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -227,21 +203,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -256,21 +232,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -281,14 +258,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -304,25 +282,26 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: RequestHeaderStatus defines the observed state of RequestHeader. properties: atProvider: properties: hmac: - description: Whether this header's value should be HMAC'd in the - audit logs. Whether this header's value should be HMAC'd in - the audit logs. + description: |- + Whether this header's value should be HMAC'd in the audit logs. + Whether this header's value should be HMAC'd in the audit logs. type: boolean id: type: string name: - description: The name of the request header to audit. The name - of the request header to audit. + description: |- + The name of the request header to audit. + The name of the request header to audit. type: string namespace: description: Target namespace. (requires Enterprise) @@ -334,14 +313,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -351,8 +339,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -361,6 +350,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/auth.vault.upbound.io_backends.yaml b/package/crds/auth.vault.upbound.io_backends.yaml index 245e6899..8ffbe1f7 100644 --- a/package/crds/auth.vault.upbound.io_backends.yaml +++ b/package/crds/auth.vault.upbound.io_backends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: backends.auth.vault.upbound.io spec: group: auth.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: an Cert auth backend in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -73,15 +79,19 @@ spec: disableRemount: description: If set, opts out of mount migration on path updates. type: boolean + identityTokenKey: + description: The key to use for signing identity tokens. + type: string local: description: Specifies if the auth method is local only type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: description: path to mount the backend. This defaults to the type. @@ -112,13 +122,12 @@ spec: type: string type: array tokenType: - description: 'The type of token that should be generated. - Can be service, batch, or default to use the mount''s - tuned default (which unless changed will be service tokens). - For token store roles, there are two additional possibilities: - default-service and default-batch which specify the type - to return unless the client requests a different type - at generation time.' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. type: string type: object type: array @@ -127,17 +136,17 @@ spec: type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: description: description: The description of the auth backend @@ -145,15 +154,19 @@ spec: disableRemount: description: If set, opts out of mount migration on path updates. type: boolean + identityTokenKey: + description: The key to use for signing identity tokens. + type: string local: description: Specifies if the auth method is local only type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: description: path to mount the backend. This defaults to the type. @@ -184,13 +197,12 @@ spec: type: string type: array tokenType: - description: 'The type of token that should be generated. - Can be service, batch, or default to use the mount''s - tuned default (which unless changed will be service tokens). - For token store roles, there are two additional possibilities: - default-service and default-batch which specify the type - to return unless the client requests a different type - at generation time.' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. type: string type: object type: array @@ -201,20 +213,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -227,9 +240,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -239,57 +253,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -299,17 +277,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -319,21 +299,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -348,21 +328,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -373,14 +354,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -396,10 +378,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: type is a required parameter + - message: spec.forProvider.type is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.type) - || has(self.initProvider.type)' + || (has(self.initProvider) && has(self.initProvider.type))' status: description: BackendStatus defines the observed state of Backend. properties: @@ -416,15 +398,19 @@ spec: type: boolean id: type: string + identityTokenKey: + description: The key to use for signing identity tokens. + type: string local: description: Specifies if the auth method is local only type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: description: path to mount the backend. This defaults to the type. @@ -455,13 +441,12 @@ spec: type: string type: array tokenType: - description: 'The type of token that should be generated. - Can be service, batch, or default to use the mount''s - tuned default (which unless changed will be service tokens). - For token store roles, there are two additional possibilities: - default-service and default-batch which specify the type - to return unless the client requests a different type - at generation time.' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. type: string type: object type: array @@ -475,14 +460,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -492,8 +486,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -502,6 +497,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_authbackendcerts.yaml b/package/crds/aws.vault.upbound.io_authbackendcerts.yaml index 0d36d78c..4105cd8e 100644 --- a/package/crds/aws.vault.upbound.io_authbackendcerts.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendcerts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendcerts.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: a certificate for an AWS Auth Backend in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,93 +74,254 @@ spec: forProvider: properties: awsPublicCert: - description: The Base64 encoded AWS Public key required to verify - PKCS7 signature of the EC2 instance metadata. You can find this - key in the AWS documentation. Base64 encoded AWS Public key - required to verify PKCS7 signature of the EC2 instance metadata. + description: |- + The Base64 encoded AWS Public key required to + verify PKCS7 signature of the EC2 instance metadata. You can find this key in + the AWS + documentation. + Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. type: string backend: - description: The path the AWS auth backend being configured was - mounted at. Defaults to aws. Unique name of the auth backend - to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. Defaults to aws. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object certName: - description: The name of the certificate. Name of the certificate - to configure. + description: |- + The name of the certificate. + Name of the certificate to configure. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: - description: Either "pkcs7" or "identity", indicating the type - of document which can be verified using the given certificate. - Defaults to "pkcs7". The type of document that can be verified - using the certificate. Must be either "pkcs7" or "identity". + description: |- + Either "pkcs7" or "identity", indicating the type of + document which can be verified using the given certificate. Defaults to + "pkcs7". + The type of document that can be verified using the certificate. Must be either "pkcs7" or "identity". type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: awsPublicCert: - description: The Base64 encoded AWS Public key required to verify - PKCS7 signature of the EC2 instance metadata. You can find this - key in the AWS documentation. Base64 encoded AWS Public key - required to verify PKCS7 signature of the EC2 instance metadata. + description: |- + The Base64 encoded AWS Public key required to + verify PKCS7 signature of the EC2 instance metadata. You can find this key in + the AWS + documentation. + Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. type: string backend: - description: The path the AWS auth backend being configured was - mounted at. Defaults to aws. Unique name of the auth backend - to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. Defaults to aws. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object certName: - description: The name of the certificate. Name of the certificate - to configure. + description: |- + The name of the certificate. + Name of the certificate to configure. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: - description: Either "pkcs7" or "identity", indicating the type - of document which can be verified using the given certificate. - Defaults to "pkcs7". The type of document that can be verified - using the certificate. Must be either "pkcs7" or "identity". + description: |- + Either "pkcs7" or "identity", indicating the type of + document which can be verified using the given certificate. Defaults to + "pkcs7". + The type of document that can be verified using the certificate. Must be either "pkcs7" or "identity". type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -167,45 +334,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -215,21 +347,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -239,17 +371,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -259,21 +393,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -288,21 +422,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -313,14 +448,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -336,48 +472,54 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: awsPublicCert is a required parameter + - message: spec.forProvider.awsPublicCert is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.awsPublicCert) - || has(self.initProvider.awsPublicCert)' - - message: certName is a required parameter + || (has(self.initProvider) && has(self.initProvider.awsPublicCert))' + - message: spec.forProvider.certName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.certName) - || has(self.initProvider.certName)' + || (has(self.initProvider) && has(self.initProvider.certName))' status: description: AuthBackendCertStatus defines the observed state of AuthBackendCert. properties: atProvider: properties: awsPublicCert: - description: The Base64 encoded AWS Public key required to verify - PKCS7 signature of the EC2 instance metadata. You can find this - key in the AWS documentation. Base64 encoded AWS Public key - required to verify PKCS7 signature of the EC2 instance metadata. + description: |- + The Base64 encoded AWS Public key required to + verify PKCS7 signature of the EC2 instance metadata. You can find this key in + the AWS + documentation. + Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. type: string backend: - description: The path the AWS auth backend being configured was - mounted at. Defaults to aws. Unique name of the auth backend - to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. Defaults to aws. + Unique name of the auth backend to configure. type: string certName: - description: The name of the certificate. Name of the certificate - to configure. + description: |- + The name of the certificate. + Name of the certificate to configure. type: string id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: - description: Either "pkcs7" or "identity", indicating the type - of document which can be verified using the given certificate. - Defaults to "pkcs7". The type of document that can be verified - using the certificate. Must be either "pkcs7" or "identity". + description: |- + Either "pkcs7" or "identity", indicating the type of + document which can be verified using the given certificate. Defaults to + "pkcs7". + The type of document that can be verified using the certificate. Must be either "pkcs7" or "identity". type: string type: object conditions: @@ -386,14 +528,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -403,8 +554,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -413,6 +565,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_authbackendclients.yaml b/package/crds/aws.vault.upbound.io_authbackendclients.yaml index ed4cf37c..8f2ca718 100644 --- a/package/crds/aws.vault.upbound.io_authbackendclients.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendclients.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Configures the client used by an AWS Auth Backend in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,8 +74,10 @@ spec: forProvider: properties: accessKeySecretRef: - description: The AWS access key that Vault should use for the - auth backend. AWS Access key with permissions to query AWS APIs. + description: |- + The AWS access key that Vault should use for the + auth backend. Mutually exclusive with identity_token_audience. + AWS Access key with permissions to query AWS APIs. properties: key: description: The key to select. @@ -86,37 +94,141 @@ spec: - namespace type: object backend: - description: The path the AWS auth backend being configured was - mounted at. Defaults to aws. Unique name of the auth backend - to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. Defaults to aws. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object ec2Endpoint: - description: Override the URL Vault uses when making EC2 API calls. - URL to override the default generated endpoint for making AWS - EC2 API calls. + description: |- + Override the URL Vault uses when making EC2 API + calls. + URL to override the default generated endpoint for making AWS EC2 API calls. type: string iamEndpoint: - description: Override the URL Vault uses when making IAM API calls. - URL to override the default generated endpoint for making AWS - IAM API calls. + description: |- + Override the URL Vault uses when making IAM API + calls. + URL to override the default generated endpoint for making AWS IAM API calls. type: string iamServerIdHeaderValue: - description: The value to require in the X-Vault-AWS-IAM-Server-ID - header as part of GetCallerIdentity requests that are used in - the IAM auth method. The value to require in the X-Vault-AWS-IAM-Server-ID - header as part of GetCallerIdentity requests that are used in - the iam auth method. + description: |- + The value to require in the + X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests + that are used in the IAM auth method. + The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method. + type: string + identityTokenAudience: + description: |- + The audience claim value. Mutually exclusive with access_key. + Requires Vault 1.17+. Available only for Vault Enterprise + The audience claim value. type: string + identityTokenTtl: + description: |- + The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + Available only for Vault Enterprise + The TTL of generated identity tokens in seconds. + type: number + maxRetries: + description: |- + Number of max retries the client should use for recoverable errors. + The default -1 falls back to the AWS SDK's default behavior. + Number of max retries the client should use for recoverable errors. + type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + roleArn: + description: |- + Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + Available only for Vault Enterprise + Role ARN to assume for plugin identity token federation. type: string secretKeySecretRef: - description: The AWS secret key that Vault should use for the - auth backend. AWS Secret key with permissions to query AWS APIs. + description: |- + The AWS secret key that Vault should use for the + auth backend. + AWS Secret key with permissions to query AWS APIs. properties: key: description: The key to select. @@ -133,106 +245,251 @@ spec: - namespace type: object stsEndpoint: - description: Override the URL Vault uses when making STS API calls. - URL to override the default generated endpoint for making AWS - STS API calls. + description: |- + Override the URL Vault uses when making STS API + calls. + URL to override the default generated endpoint for making AWS STS API calls. type: string stsRegion: - description: Override the default region when making STS API calls. - The sts_endpoint argument must be set when using sts_region. - Region to override the default region for making AWS STS API - calls. + description: |- + Override the default region when making STS API + calls. The sts_endpoint argument must be set when using sts_region. + Region to override the default region for making AWS STS API calls. type: string useStsRegionFromClient: - description: Available in Vault v1.15+. If set, overrides both - sts_endpoint and sts_region to instead use the region specified - in the client request headers for IAM-based authentication. - This can be useful when you have client requests coming from - different regions and want flexibility in which regional STS - API is used. If set, will override sts_region and use the region - from the client request's header + description: |- + Available in Vault v1.15+. If set, + overrides both sts_endpoint and sts_region to instead use the region + specified in the client request headers for IAM-based authentication. + This can be useful when you have client requests coming from different + regions and want flexibility in which regional STS API is used. + If set, will override sts_region and use the region from the client request's header type: boolean type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + accessKeySecretRef: + description: |- + The AWS access key that Vault should use for the + auth backend. Mutually exclusive with identity_token_audience. + AWS Access key with permissions to query AWS APIs. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object backend: - description: The path the AWS auth backend being configured was - mounted at. Defaults to aws. Unique name of the auth backend - to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. Defaults to aws. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object ec2Endpoint: - description: Override the URL Vault uses when making EC2 API calls. - URL to override the default generated endpoint for making AWS - EC2 API calls. + description: |- + Override the URL Vault uses when making EC2 API + calls. + URL to override the default generated endpoint for making AWS EC2 API calls. type: string iamEndpoint: - description: Override the URL Vault uses when making IAM API calls. - URL to override the default generated endpoint for making AWS - IAM API calls. + description: |- + Override the URL Vault uses when making IAM API + calls. + URL to override the default generated endpoint for making AWS IAM API calls. type: string iamServerIdHeaderValue: - description: The value to require in the X-Vault-AWS-IAM-Server-ID - header as part of GetCallerIdentity requests that are used in - the IAM auth method. The value to require in the X-Vault-AWS-IAM-Server-ID - header as part of GetCallerIdentity requests that are used in - the iam auth method. + description: |- + The value to require in the + X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests + that are used in the IAM auth method. + The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method. + type: string + identityTokenAudience: + description: |- + The audience claim value. Mutually exclusive with access_key. + Requires Vault 1.17+. Available only for Vault Enterprise + The audience claim value. type: string + identityTokenTtl: + description: |- + The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + Available only for Vault Enterprise + The TTL of generated identity tokens in seconds. + type: number + maxRetries: + description: |- + Number of max retries the client should use for recoverable errors. + The default -1 falls back to the AWS SDK's default behavior. + Number of max retries the client should use for recoverable errors. + type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string + roleArn: + description: |- + Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + Available only for Vault Enterprise + Role ARN to assume for plugin identity token federation. + type: string + secretKeySecretRef: + description: |- + The AWS secret key that Vault should use for the + auth backend. + AWS Secret key with permissions to query AWS APIs. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object stsEndpoint: - description: Override the URL Vault uses when making STS API calls. - URL to override the default generated endpoint for making AWS - STS API calls. + description: |- + Override the URL Vault uses when making STS API + calls. + URL to override the default generated endpoint for making AWS STS API calls. type: string stsRegion: - description: Override the default region when making STS API calls. - The sts_endpoint argument must be set when using sts_region. - Region to override the default region for making AWS STS API - calls. + description: |- + Override the default region when making STS API + calls. The sts_endpoint argument must be set when using sts_region. + Region to override the default region for making AWS STS API calls. type: string useStsRegionFromClient: - description: Available in Vault v1.15+. If set, overrides both - sts_endpoint and sts_region to instead use the region specified - in the client request headers for IAM-based authentication. - This can be useful when you have client requests coming from - different regions and want flexibility in which regional STS - API is used. If set, will override sts_region and use the region - from the client request's header + description: |- + Available in Vault v1.15+. If set, + overrides both sts_endpoint and sts_region to instead use the region + specified in the client request headers for IAM-based authentication. + This can be useful when you have client requests coming from different + regions and want flexibility in which regional STS API is used. + If set, will override sts_region and use the region from the client request's header type: boolean type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -245,45 +502,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -293,21 +515,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -317,17 +539,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -337,21 +561,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -366,21 +590,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -391,14 +616,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -419,55 +645,84 @@ spec: atProvider: properties: backend: - description: The path the AWS auth backend being configured was - mounted at. Defaults to aws. Unique name of the auth backend - to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. Defaults to aws. + Unique name of the auth backend to configure. type: string ec2Endpoint: - description: Override the URL Vault uses when making EC2 API calls. - URL to override the default generated endpoint for making AWS - EC2 API calls. + description: |- + Override the URL Vault uses when making EC2 API + calls. + URL to override the default generated endpoint for making AWS EC2 API calls. type: string iamEndpoint: - description: Override the URL Vault uses when making IAM API calls. - URL to override the default generated endpoint for making AWS - IAM API calls. + description: |- + Override the URL Vault uses when making IAM API + calls. + URL to override the default generated endpoint for making AWS IAM API calls. type: string iamServerIdHeaderValue: - description: The value to require in the X-Vault-AWS-IAM-Server-ID - header as part of GetCallerIdentity requests that are used in - the IAM auth method. The value to require in the X-Vault-AWS-IAM-Server-ID - header as part of GetCallerIdentity requests that are used in - the iam auth method. + description: |- + The value to require in the + X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests + that are used in the IAM auth method. + The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method. type: string id: type: string + identityTokenAudience: + description: |- + The audience claim value. Mutually exclusive with access_key. + Requires Vault 1.17+. Available only for Vault Enterprise + The audience claim value. + type: string + identityTokenTtl: + description: |- + The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + Available only for Vault Enterprise + The TTL of generated identity tokens in seconds. + type: number + maxRetries: + description: |- + Number of max retries the client should use for recoverable errors. + The default -1 falls back to the AWS SDK's default behavior. + Number of max retries the client should use for recoverable errors. + type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) + type: string + roleArn: + description: |- + Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + Available only for Vault Enterprise + Role ARN to assume for plugin identity token federation. type: string stsEndpoint: - description: Override the URL Vault uses when making STS API calls. - URL to override the default generated endpoint for making AWS - STS API calls. + description: |- + Override the URL Vault uses when making STS API + calls. + URL to override the default generated endpoint for making AWS STS API calls. type: string stsRegion: - description: Override the default region when making STS API calls. - The sts_endpoint argument must be set when using sts_region. - Region to override the default region for making AWS STS API - calls. + description: |- + Override the default region when making STS API + calls. The sts_endpoint argument must be set when using sts_region. + Region to override the default region for making AWS STS API calls. type: string useStsRegionFromClient: - description: Available in Vault v1.15+. If set, overrides both - sts_endpoint and sts_region to instead use the region specified - in the client request headers for IAM-based authentication. - This can be useful when you have client requests coming from - different regions and want flexibility in which regional STS - API is used. If set, will override sts_region and use the region - from the client request's header + description: |- + Available in Vault v1.15+. If set, + overrides both sts_endpoint and sts_region to instead use the region + specified in the client request headers for IAM-based authentication. + This can be useful when you have client requests coming from different + regions and want flexibility in which regional STS API is used. + If set, will override sts_region and use the region from the client request's header type: boolean type: object conditions: @@ -476,14 +731,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -493,8 +757,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -503,6 +768,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml b/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml index a56d67a0..d57b0abf 100644 --- a/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendconfigidentities.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Manages AWS auth backend identity configuration in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,13 +60,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -71,111 +77,266 @@ spec: backend: description: Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object ec2Alias: - description: How to generate the identity alias when using the - ec2 auth method. Valid choices are role_id, instance_id, and - image_id. Defaults to role_id Configures how to generate the - identity alias when using the ec2 auth method. + description: |- + How to generate the identity alias when using the ec2 auth method. Valid choices are + role_id, instance_id, and image_id. Defaults to role_id + Configures how to generate the identity alias when using the ec2 auth method. type: string ec2Metadata: - description: The metadata to include on the token returned by - the login endpoint. This metadata will be added to both audit - logs, and on the ec2_alias The metadata to include on the token - returned by the login endpoint. + description: |- + The metadata to include on the token returned by the login endpoint. This metadata will be + added to both audit logs, and on the ec2_alias + The metadata to include on the token returned by the login endpoint. items: type: string type: array + x-kubernetes-list-type: set iamAlias: - description: How to generate the identity alias when using the - iam auth method. Valid choices are role_id, unique_id, and full_arn. - Defaults to role_id How to generate the identity alias when - using the iam auth method. + description: |- + How to generate the identity alias when using the iam auth method. Valid choices are + role_id, unique_id, and full_arn. Defaults to role_id + How to generate the identity alias when using the iam auth method. type: string iamMetadata: - description: The metadata to include on the token returned by - the login endpoint. This metadata will be added to both audit - logs, and on the iam_alias The metadata to include on the token - returned by the login endpoint. + description: |- + The metadata to include on the token returned by the login endpoint. This metadata will be + added to both audit logs, and on the iam_alias + The metadata to include on the token returned by the login endpoint. items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: description: Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object ec2Alias: - description: How to generate the identity alias when using the - ec2 auth method. Valid choices are role_id, instance_id, and - image_id. Defaults to role_id Configures how to generate the - identity alias when using the ec2 auth method. + description: |- + How to generate the identity alias when using the ec2 auth method. Valid choices are + role_id, instance_id, and image_id. Defaults to role_id + Configures how to generate the identity alias when using the ec2 auth method. type: string ec2Metadata: - description: The metadata to include on the token returned by - the login endpoint. This metadata will be added to both audit - logs, and on the ec2_alias The metadata to include on the token - returned by the login endpoint. + description: |- + The metadata to include on the token returned by the login endpoint. This metadata will be + added to both audit logs, and on the ec2_alias + The metadata to include on the token returned by the login endpoint. items: type: string type: array + x-kubernetes-list-type: set iamAlias: - description: How to generate the identity alias when using the - iam auth method. Valid choices are role_id, unique_id, and full_arn. - Defaults to role_id How to generate the identity alias when - using the iam auth method. + description: |- + How to generate the identity alias when using the iam auth method. Valid choices are + role_id, unique_id, and full_arn. Defaults to role_id + How to generate the identity alias when using the iam auth method. type: string iamMetadata: - description: The metadata to include on the token returned by - the login endpoint. This metadata will be added to both audit - logs, and on the iam_alias The metadata to include on the token - returned by the login endpoint. + description: |- + The metadata to include on the token returned by the login endpoint. This metadata will be + added to both audit logs, and on the iam_alias + The metadata to include on the token returned by the login endpoint. items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -188,45 +349,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -236,21 +362,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -260,17 +386,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -280,21 +408,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -309,21 +437,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -334,14 +463,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -366,41 +496,44 @@ spec: description: Unique name of the auth backend to configure. type: string ec2Alias: - description: How to generate the identity alias when using the - ec2 auth method. Valid choices are role_id, instance_id, and - image_id. Defaults to role_id Configures how to generate the - identity alias when using the ec2 auth method. + description: |- + How to generate the identity alias when using the ec2 auth method. Valid choices are + role_id, instance_id, and image_id. Defaults to role_id + Configures how to generate the identity alias when using the ec2 auth method. type: string ec2Metadata: - description: The metadata to include on the token returned by - the login endpoint. This metadata will be added to both audit - logs, and on the ec2_alias The metadata to include on the token - returned by the login endpoint. + description: |- + The metadata to include on the token returned by the login endpoint. This metadata will be + added to both audit logs, and on the ec2_alias + The metadata to include on the token returned by the login endpoint. items: type: string type: array + x-kubernetes-list-type: set iamAlias: - description: How to generate the identity alias when using the - iam auth method. Valid choices are role_id, unique_id, and full_arn. - Defaults to role_id How to generate the identity alias when - using the iam auth method. + description: |- + How to generate the identity alias when using the iam auth method. Valid choices are + role_id, unique_id, and full_arn. Defaults to role_id + How to generate the identity alias when using the iam auth method. type: string iamMetadata: - description: The metadata to include on the token returned by - the login endpoint. This metadata will be added to both audit - logs, and on the iam_alias The metadata to include on the token - returned by the login endpoint. + description: |- + The metadata to include on the token returned by the login endpoint. This metadata will be + added to both audit logs, and on the iam_alias + The metadata to include on the token returned by the login endpoint. items: type: string type: array + x-kubernetes-list-type: set id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -409,14 +542,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -426,8 +568,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -436,6 +579,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_authbackendidentitywhitelists.yaml b/package/crds/aws.vault.upbound.io_authbackendidentitywhitelists.yaml index 160753c7..52d26271 100644 --- a/package/crds/aws.vault.upbound.io_authbackendidentitywhitelists.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendidentitywhitelists.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendidentitywhitelists.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -39,14 +39,19 @@ spec: entries. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,13 +61,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -70,83 +76,238 @@ spec: forProvider: properties: backend: - description: The path of the AWS backend being configured. Unique - name of the auth backend to configure. + description: |- + The path of the AWS backend being configured. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object disablePeriodicTidy: - description: If set to true, disables the periodic tidying of - the identity-whitelist entries. If true, disables the periodic - tidying of the identiy whitelist entries. + description: |- + If set to true, disables the periodic + tidying of the identity-whitelist entries. + If true, disables the periodic tidying of the identiy whitelist entries. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string safetyBuffer: - description: The amount of extra time, in minutes, that must have - passed beyond the roletag expiration, before it is removed from - the backend storage. The amount of extra time that must have - passed beyond the roletag expiration, before it's removed from + description: |- + The amount of extra time, in minutes, that must + have passed beyond the roletag expiration, before it is removed from the backend storage. + The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The path of the AWS backend being configured. Unique - name of the auth backend to configure. + description: |- + The path of the AWS backend being configured. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object disablePeriodicTidy: - description: If set to true, disables the periodic tidying of - the identity-whitelist entries. If true, disables the periodic - tidying of the identiy whitelist entries. + description: |- + If set to true, disables the periodic + tidying of the identity-whitelist entries. + If true, disables the periodic tidying of the identiy whitelist entries. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string safetyBuffer: - description: The amount of extra time, in minutes, that must have - passed beyond the roletag expiration, before it is removed from - the backend storage. The amount of extra time that must have - passed beyond the roletag expiration, before it's removed from + description: |- + The amount of extra time, in minutes, that must + have passed beyond the roletag expiration, before it is removed from the backend storage. + The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -159,45 +320,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -207,21 +333,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -231,17 +357,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -251,21 +379,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -280,21 +408,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -305,14 +434,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -334,29 +464,32 @@ spec: atProvider: properties: backend: - description: The path of the AWS backend being configured. Unique - name of the auth backend to configure. + description: |- + The path of the AWS backend being configured. + Unique name of the auth backend to configure. type: string disablePeriodicTidy: - description: If set to true, disables the periodic tidying of - the identity-whitelist entries. If true, disables the periodic - tidying of the identiy whitelist entries. + description: |- + If set to true, disables the periodic + tidying of the identity-whitelist entries. + If true, disables the periodic tidying of the identiy whitelist entries. type: boolean id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string safetyBuffer: - description: The amount of extra time, in minutes, that must have - passed beyond the roletag expiration, before it is removed from - the backend storage. The amount of extra time that must have - passed beyond the roletag expiration, before it's removed from + description: |- + The amount of extra time, in minutes, that must + have passed beyond the roletag expiration, before it is removed from the backend storage. + The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. type: number type: object conditions: @@ -365,14 +498,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -382,8 +524,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -392,6 +535,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_authbackendlogins.yaml b/package/crds/aws.vault.upbound.io_authbackendlogins.yaml index 9a731fda..2fefeab7 100644 --- a/package/crds/aws.vault.upbound.io_authbackendlogins.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendlogins.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendlogins.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Manages Vault tokens acquired using the AWS auth backend. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,159 +74,482 @@ spec: forProvider: properties: backend: - description: The unique name of the AWS auth backend. Defaults - to 'aws'. AWS Auth Backend to read the token from. + description: |- + The unique name of the AWS auth backend. Defaults to + 'aws'. + AWS Auth Backend to read the token from. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object iamHttpRequestMethod: - description: The HTTP method used in the signed IAM request. The - HTTP method used in the signed request. + description: |- + The HTTP method used in the signed IAM + request. + The HTTP method used in the signed request. type: string iamRequestBody: - description: The base64-encoded body of the signed request. The - Base64-encoded body of the signed request. + description: |- + The base64-encoded body of the signed + request. + The Base64-encoded body of the signed request. type: string iamRequestHeaders: - description: The base64-encoded, JSON serialized representation - of the GetCallerIdentity HTTP request headers. The Base64-encoded, - JSON serialized representation of the sts:GetCallerIdentity - HTTP request headers. + description: |- + The base64-encoded, JSON serialized + representation of the GetCallerIdentity HTTP request headers. + The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers. type: string iamRequestUrl: - description: The base64-encoded HTTP URL used in the signed request. + description: |- + The base64-encoded HTTP URL used in the signed + request. The Base64-encoded HTTP URL used in the signed request. type: string identity: - description: The base64-encoded EC2 instance identity document - to authenticate with. Can be retrieved from the EC2 metadata - server. Base64-encoded EC2 instance identity document to authenticate - with. + description: |- + The base64-encoded EC2 instance identity document to + authenticate with. Can be retrieved from the EC2 metadata server. + Base64-encoded EC2 instance identity document to authenticate with. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string nonce: - description: The unique nonce to be used for login requests. Can - be set to a user-specified value, or will contain the server-generated - value once a token is issued. EC2 instances can only acquire - a single token until the whitelist is tidied again unless they - keep track of this nonce. The nonce to be used for subsequent - login requests. + description: |- + The unique nonce to be used for login requests. Can be + set to a user-specified value, or will contain the server-generated value + once a token is issued. EC2 instances can only acquire a single token until + the whitelist is tidied again unless they keep track of this nonce. + The nonce to be used for subsequent login requests. type: string pkcs7: - description: The PKCS#7 signature of the identity document to - authenticate with, with all newline characters removed. Can - be retrieved from the EC2 metadata server. PKCS7 signature of - the identity document to authenticate with, with all newline - characters removed. + description: |- + The PKCS#7 signature of the identity document to + authenticate with, with all newline characters removed. Can be retrieved from + the EC2 metadata server. + PKCS7 signature of the identity document to authenticate with, with all newline characters removed. type: string role: - description: The name of the AWS auth backend role to create tokens - against. AWS Auth Role to read the token from. - type: string + description: |- + The name of the AWS auth backend role to create tokens + against. + AWS Auth Role to read the token from. + type: string + roleRef: + description: Reference to a AuthBackendRole in aws to populate + role. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleSelector: + description: Selector for a AuthBackendRole in aws to populate + role. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object signature: - description: The base64-encoded SHA256 RSA signature of the instance - identity document to authenticate with, with all newline characters - removed. Can be retrieved from the EC2 metadata server. Base64-encoded - SHA256 RSA signature of the instance identtiy document to authenticate - with. + description: |- + The base64-encoded SHA256 RSA signature of the + instance identity document to authenticate with, with all newline characters + removed. Can be retrieved from the EC2 metadata server. + Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The unique name of the AWS auth backend. Defaults - to 'aws'. AWS Auth Backend to read the token from. + description: |- + The unique name of the AWS auth backend. Defaults to + 'aws'. + AWS Auth Backend to read the token from. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object iamHttpRequestMethod: - description: The HTTP method used in the signed IAM request. The - HTTP method used in the signed request. + description: |- + The HTTP method used in the signed IAM + request. + The HTTP method used in the signed request. type: string iamRequestBody: - description: The base64-encoded body of the signed request. The - Base64-encoded body of the signed request. + description: |- + The base64-encoded body of the signed + request. + The Base64-encoded body of the signed request. type: string iamRequestHeaders: - description: The base64-encoded, JSON serialized representation - of the GetCallerIdentity HTTP request headers. The Base64-encoded, - JSON serialized representation of the sts:GetCallerIdentity - HTTP request headers. + description: |- + The base64-encoded, JSON serialized + representation of the GetCallerIdentity HTTP request headers. + The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers. type: string iamRequestUrl: - description: The base64-encoded HTTP URL used in the signed request. + description: |- + The base64-encoded HTTP URL used in the signed + request. The Base64-encoded HTTP URL used in the signed request. type: string identity: - description: The base64-encoded EC2 instance identity document - to authenticate with. Can be retrieved from the EC2 metadata - server. Base64-encoded EC2 instance identity document to authenticate - with. + description: |- + The base64-encoded EC2 instance identity document to + authenticate with. Can be retrieved from the EC2 metadata server. + Base64-encoded EC2 instance identity document to authenticate with. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string nonce: - description: The unique nonce to be used for login requests. Can - be set to a user-specified value, or will contain the server-generated - value once a token is issued. EC2 instances can only acquire - a single token until the whitelist is tidied again unless they - keep track of this nonce. The nonce to be used for subsequent - login requests. + description: |- + The unique nonce to be used for login requests. Can be + set to a user-specified value, or will contain the server-generated value + once a token is issued. EC2 instances can only acquire a single token until + the whitelist is tidied again unless they keep track of this nonce. + The nonce to be used for subsequent login requests. type: string pkcs7: - description: The PKCS#7 signature of the identity document to - authenticate with, with all newline characters removed. Can - be retrieved from the EC2 metadata server. PKCS7 signature of - the identity document to authenticate with, with all newline - characters removed. + description: |- + The PKCS#7 signature of the identity document to + authenticate with, with all newline characters removed. Can be retrieved from + the EC2 metadata server. + PKCS7 signature of the identity document to authenticate with, with all newline characters removed. type: string role: - description: The name of the AWS auth backend role to create tokens - against. AWS Auth Role to read the token from. - type: string + description: |- + The name of the AWS auth backend role to create tokens + against. + AWS Auth Role to read the token from. + type: string + roleRef: + description: Reference to a AuthBackendRole in aws to populate + role. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleSelector: + description: Selector for a AuthBackendRole in aws to populate + role. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object signature: - description: The base64-encoded SHA256 RSA signature of the instance - identity document to authenticate with, with all newline characters - removed. Can be retrieved from the EC2 metadata server. Base64-encoded - SHA256 RSA signature of the instance identtiy document to authenticate - with. + description: |- + The base64-encoded SHA256 RSA signature of the + instance identity document to authenticate with, with all newline characters + removed. Can be retrieved from the EC2 metadata server. + Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -233,45 +562,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -281,21 +575,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -305,17 +599,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -325,21 +621,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -354,21 +650,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -379,14 +676,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -407,104 +705,121 @@ spec: atProvider: properties: accessor: - description: The token's accessor. The accessor returned from - Vault for this token. + description: |- + The token's accessor. + The accessor returned from Vault for this token. type: string authType: - description: The authentication type used to generate this token. + description: |- + The authentication type used to generate this token. The auth method used to generate this token. type: string backend: - description: The unique name of the AWS auth backend. Defaults - to 'aws'. AWS Auth Backend to read the token from. + description: |- + The unique name of the AWS auth backend. Defaults to + 'aws'. + AWS Auth Backend to read the token from. type: string iamHttpRequestMethod: - description: The HTTP method used in the signed IAM request. The - HTTP method used in the signed request. + description: |- + The HTTP method used in the signed IAM + request. + The HTTP method used in the signed request. type: string iamRequestBody: - description: The base64-encoded body of the signed request. The - Base64-encoded body of the signed request. + description: |- + The base64-encoded body of the signed + request. + The Base64-encoded body of the signed request. type: string iamRequestHeaders: - description: The base64-encoded, JSON serialized representation - of the GetCallerIdentity HTTP request headers. The Base64-encoded, - JSON serialized representation of the sts:GetCallerIdentity - HTTP request headers. + description: |- + The base64-encoded, JSON serialized + representation of the GetCallerIdentity HTTP request headers. + The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers. type: string iamRequestUrl: - description: The base64-encoded HTTP URL used in the signed request. + description: |- + The base64-encoded HTTP URL used in the signed + request. The Base64-encoded HTTP URL used in the signed request. type: string id: type: string identity: - description: The base64-encoded EC2 instance identity document - to authenticate with. Can be retrieved from the EC2 metadata - server. Base64-encoded EC2 instance identity document to authenticate - with. + description: |- + The base64-encoded EC2 instance identity document to + authenticate with. Can be retrieved from the EC2 metadata server. + Base64-encoded EC2 instance identity document to authenticate with. type: string leaseDuration: - description: The duration in seconds the token will be valid, - relative to the time in lease_start_time. Lease duration in - seconds relative to the time in lease_start_time. + description: |- + The duration in seconds the token will be valid, relative + to the time in lease_start_time. + Lease duration in seconds relative to the time in lease_start_time. type: number leaseStartTime: - description: the approximate time at which the token was created, - using the clock of the system where Upbound official provider - was running. time at which the lease was read, using the clock - of the system where Upbound official provider was running + description: |- + the approximate time at which the token was created, + using the clock of the system where provider was running. + time at which the lease was read, using the clock of the system where provider was running type: string metadata: additionalProperties: type: string - description: A map of information returned by the Vault server - about the authentication used to generate this token. The metadata - reported by the Vault server. + description: |- + A map of information returned by the Vault server about the + authentication used to generate this token. + The metadata reported by the Vault server. type: object + x-kubernetes-map-type: granular namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string nonce: - description: The unique nonce to be used for login requests. Can - be set to a user-specified value, or will contain the server-generated - value once a token is issued. EC2 instances can only acquire - a single token until the whitelist is tidied again unless they - keep track of this nonce. The nonce to be used for subsequent - login requests. + description: |- + The unique nonce to be used for login requests. Can be + set to a user-specified value, or will contain the server-generated value + once a token is issued. EC2 instances can only acquire a single token until + the whitelist is tidied again unless they keep track of this nonce. + The nonce to be used for subsequent login requests. type: string pkcs7: - description: The PKCS#7 signature of the identity document to - authenticate with, with all newline characters removed. Can - be retrieved from the EC2 metadata server. PKCS7 signature of - the identity document to authenticate with, with all newline - characters removed. + description: |- + The PKCS#7 signature of the identity document to + authenticate with, with all newline characters removed. Can be retrieved from + the EC2 metadata server. + PKCS7 signature of the identity document to authenticate with, with all newline characters removed. type: string policies: - description: The Vault policies assigned to this token. The policies - assigned to this token. + description: |- + The Vault policies assigned to this token. + The policies assigned to this token. items: type: string type: array renewable: - description: Set to true if the token can be extended through - renewal. True if the duration of this lease can be extended - through renewal. + description: |- + Set to true if the token can be extended through renewal. + True if the duration of this lease can be extended through renewal. type: boolean role: - description: The name of the AWS auth backend role to create tokens - against. AWS Auth Role to read the token from. + description: |- + The name of the AWS auth backend role to create tokens + against. + AWS Auth Role to read the token from. type: string signature: - description: The base64-encoded SHA256 RSA signature of the instance - identity document to authenticate with, with all newline characters - removed. Can be retrieved from the EC2 metadata server. Base64-encoded - SHA256 RSA signature of the instance identtiy document to authenticate - with. + description: |- + The base64-encoded SHA256 RSA signature of the + instance identity document to authenticate with, with all newline characters + removed. Can be retrieved from the EC2 metadata server. + Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with. type: string type: object conditions: @@ -513,14 +828,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -530,8 +854,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -540,6 +865,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_authbackendroles.yaml b/package/crds/aws.vault.upbound.io_authbackendroles.yaml index ed51fecf..016868aa 100644 --- a/package/crds/aws.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroles.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: AWS auth backend roles in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,463 +74,672 @@ spec: forProvider: properties: allowInstanceMigration: - description: If set to true, allows migration of the underlying - instance where the client resides. When true, allows migration - of the underlying instance where the client resides. Use with - caution. + description: |- + If set to true, allows migration of + the underlying instance where the client resides. + When true, allows migration of the underlying instance where the client resides. Use with caution. type: boolean authType: - description: The auth type permitted for this role. Valid choices - are ec2 and iam. Defaults to iam. The auth type permitted for - this role. + description: |- + The auth type permitted for this role. Valid choices + are ec2 and iam. Defaults to iam. + The auth type permitted for this role. type: string backend: - description: Path to the mounted aws auth backend. Unique name - of the auth backend to configure. + description: |- + Path to the mounted aws auth backend. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object boundAccountIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they should be using - the account ID specified by this field. auth_type must be set - to ec2 or inferred_entity_type must be set to ec2_instance to - use this constraint. Only EC2 instances with this account ID - in their identity document will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they should be using the + account ID specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances with this account ID in their identity document will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundAmiIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they should be using - the AMI ID specified by this field. auth_type must be set to - ec2 or inferred_entity_type must be set to ec2_instance to use - this constraint. Only EC2 instances using this AMI ID will be - permitted to log in. + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they should be using the AMI ID + specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances using this AMI ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundEc2InstanceIds: description: Only EC2 instances that match this instance ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundIamInstanceProfileArns: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they must be associated - with an IAM instance profile ARN which has a prefix that matches - the value specified by this field. The value is prefix-matched - as though it were a glob ending in *. auth_type must be set - to ec2 or inferred_entity_type must be set to ec2_instance to - use this constraint. Only EC2 instances associated with an IAM - instance profile ARN that matches this value will be permitted - to log in. + description: |- + If set, defines a constraint on + the EC2 instances that can perform the login operation that they must be + associated with an IAM instance profile ARN which has a prefix that matches + the value specified by this field. The value is prefix-matched as though it + were a glob ending in *. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundIamPrincipalArns: - description: If set, defines the IAM principal that must be authenticated - when auth_type is set to iam. Wildcards are supported at the - end of the ARN. The IAM principal that must be authenticated - using the iam auth method. + description: |- + If set, defines the IAM principal that + must be authenticated when auth_type is set to iam. Wildcards are + supported at the end of the ARN. + The IAM principal that must be authenticated using the iam auth method. items: type: string type: array + x-kubernetes-list-type: set boundIamRoleArns: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they must match the - IAM role ARN specified by this field. auth_type must be set - to ec2 or inferred_entity_type must be set to ec2_instance to - use this constraint. Only EC2 instances that match this IAM - role ARN will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they must match the IAM + role ARN specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances that match this IAM role ARN will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundRegions: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that the region in their - identity document must match the one specified by this field. - auth_type must be set to ec2 or inferred_entity_type must be - set to ec2_instance to use this constraint. Only EC2 instances - in this region will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that the region in their identity + document must match the one specified by this field. auth_type must be set + to ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances in this region will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundSubnetIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they be associated - with the subnet ID that matches the value specified by this - field. auth_type must be set to ec2 or inferred_entity_type - must be set to ec2_instance to use this constraint. Only EC2 - instances associated with this subnet ID will be permitted to - log in. + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they be associated with + the subnet ID that matches the value specified by this field. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + Only EC2 instances associated with this subnet ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundVpcIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they be associated - with the VPC ID that matches the value specified by this field. - auth_type must be set to ec2 or inferred_entity_type must be - set to ec2_instance to use this constraint. Only EC2 instances - associated with this VPC ID will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they be associated with the VPC ID + that matches the value specified by this field. auth_type must be set to + ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances associated with this VPC ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set disallowReauthentication: - description: IF set to true, only allows a single token to be - granted per instance ID. This can only be set when auth_type - is set to ec2. When true, only allows a single token to be granted - per instance ID. + description: |- + IF set to true, only allows a + single token to be granted per instance ID. This can only be set when + auth_type is set to ec2. + When true, only allows a single token to be granted per instance ID. type: boolean inferredAwsRegion: - description: When inferred_entity_type is set, this is the region - to search for the inferred entities. Required if inferred_entity_type - is set. This only applies when auth_type is set to iam. The - region to search for the inferred entities in. + description: |- + When inferred_entity_type is set, this + is the region to search for the inferred entities. Required if + inferred_entity_type is set. This only applies when auth_type is set to + iam. + The region to search for the inferred entities in. type: string inferredEntityType: - description: If set, instructs Vault to turn on inferencing. The - only valid value is ec2_instance, which instructs Vault to infer - that the role comes from an EC2 instance in an IAM instance - profile. This only applies when auth_type is set to iam. The - type of inferencing Vault should do. + description: |- + If set, instructs Vault to turn on + inferencing. The only valid value is ec2_instance, which instructs Vault to + infer that the role comes from an EC2 instance in an IAM instance profile. + This only applies when auth_type is set to iam. + The type of inferencing Vault should do. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string resolveAwsUniqueIds: - description: Only valid when auth_type is iam. If set to true, - the bound_iam_principal_arns are resolved to AWS Unique IDs - for the bound principal ARN. This field is ignored when a bound_iam_principal_arn - ends in a wildcard. Resolving to unique IDs more closely mimics - the behavior of AWS services in that if an IAM user or role - is deleted and a new one is recreated with the same name, those - new users or roles won't get access to roles in Vault that were - permissioned to the prior principals of the same name. Defaults - to true. Once set to true, this cannot be changed to false without - recreating the role. Whether or not Vault should resolve the - bound_iam_principal_arn to an AWS Unique ID. When true, deleting - a principal and recreating it with the same name won't automatically - grant the new principal the same roles in Vault that the old - principal had. + description: |- + Only valid when + auth_type is iam. If set to true, the bound_iam_principal_arns are + resolved to AWS Unique + IDs + for the bound principal ARN. This field is ignored when a + bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more + closely mimics the behavior of AWS services in that if an IAM user or role is + deleted and a new one is recreated with the same name, those new users or + roles won't get access to roles in Vault that were permissioned to the prior + principals of the same name. Defaults to true. + Once set to true, this cannot be changed to false without recreating the role. + Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. type: boolean role: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string roleTag: - description: If set, enable role tags for this role. The value - set for this field should be the key of the tag on the EC2 instance. - auth_type must be set to ec2 or inferred_entity_type must be - set to ec2_instance to use this constraint. The key of the tag - on EC2 instance to use for role tags. + description: |- + If set, enable role tags for this role. The value set + for this field should be the key of the tag on the EC2 instance. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + The key of the tag on EC2 instance to use for role tags. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowInstanceMigration: - description: If set to true, allows migration of the underlying - instance where the client resides. When true, allows migration - of the underlying instance where the client resides. Use with - caution. + description: |- + If set to true, allows migration of + the underlying instance where the client resides. + When true, allows migration of the underlying instance where the client resides. Use with caution. type: boolean authType: - description: The auth type permitted for this role. Valid choices - are ec2 and iam. Defaults to iam. The auth type permitted for - this role. + description: |- + The auth type permitted for this role. Valid choices + are ec2 and iam. Defaults to iam. + The auth type permitted for this role. type: string backend: - description: Path to the mounted aws auth backend. Unique name - of the auth backend to configure. + description: |- + Path to the mounted aws auth backend. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object boundAccountIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they should be using - the account ID specified by this field. auth_type must be set - to ec2 or inferred_entity_type must be set to ec2_instance to - use this constraint. Only EC2 instances with this account ID - in their identity document will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they should be using the + account ID specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances with this account ID in their identity document will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundAmiIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they should be using - the AMI ID specified by this field. auth_type must be set to - ec2 or inferred_entity_type must be set to ec2_instance to use - this constraint. Only EC2 instances using this AMI ID will be - permitted to log in. + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they should be using the AMI ID + specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances using this AMI ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundEc2InstanceIds: description: Only EC2 instances that match this instance ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundIamInstanceProfileArns: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they must be associated - with an IAM instance profile ARN which has a prefix that matches - the value specified by this field. The value is prefix-matched - as though it were a glob ending in *. auth_type must be set - to ec2 or inferred_entity_type must be set to ec2_instance to - use this constraint. Only EC2 instances associated with an IAM - instance profile ARN that matches this value will be permitted - to log in. + description: |- + If set, defines a constraint on + the EC2 instances that can perform the login operation that they must be + associated with an IAM instance profile ARN which has a prefix that matches + the value specified by this field. The value is prefix-matched as though it + were a glob ending in *. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundIamPrincipalArns: - description: If set, defines the IAM principal that must be authenticated - when auth_type is set to iam. Wildcards are supported at the - end of the ARN. The IAM principal that must be authenticated - using the iam auth method. + description: |- + If set, defines the IAM principal that + must be authenticated when auth_type is set to iam. Wildcards are + supported at the end of the ARN. + The IAM principal that must be authenticated using the iam auth method. items: type: string type: array + x-kubernetes-list-type: set boundIamRoleArns: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they must match the - IAM role ARN specified by this field. auth_type must be set - to ec2 or inferred_entity_type must be set to ec2_instance to - use this constraint. Only EC2 instances that match this IAM - role ARN will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they must match the IAM + role ARN specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances that match this IAM role ARN will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundRegions: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that the region in their - identity document must match the one specified by this field. - auth_type must be set to ec2 or inferred_entity_type must be - set to ec2_instance to use this constraint. Only EC2 instances - in this region will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that the region in their identity + document must match the one specified by this field. auth_type must be set + to ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances in this region will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundSubnetIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they be associated - with the subnet ID that matches the value specified by this - field. auth_type must be set to ec2 or inferred_entity_type - must be set to ec2_instance to use this constraint. Only EC2 - instances associated with this subnet ID will be permitted to - log in. + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they be associated with + the subnet ID that matches the value specified by this field. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + Only EC2 instances associated with this subnet ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundVpcIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they be associated - with the VPC ID that matches the value specified by this field. - auth_type must be set to ec2 or inferred_entity_type must be - set to ec2_instance to use this constraint. Only EC2 instances - associated with this VPC ID will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they be associated with the VPC ID + that matches the value specified by this field. auth_type must be set to + ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances associated with this VPC ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set disallowReauthentication: - description: IF set to true, only allows a single token to be - granted per instance ID. This can only be set when auth_type - is set to ec2. When true, only allows a single token to be granted - per instance ID. + description: |- + IF set to true, only allows a + single token to be granted per instance ID. This can only be set when + auth_type is set to ec2. + When true, only allows a single token to be granted per instance ID. type: boolean inferredAwsRegion: - description: When inferred_entity_type is set, this is the region - to search for the inferred entities. Required if inferred_entity_type - is set. This only applies when auth_type is set to iam. The - region to search for the inferred entities in. + description: |- + When inferred_entity_type is set, this + is the region to search for the inferred entities. Required if + inferred_entity_type is set. This only applies when auth_type is set to + iam. + The region to search for the inferred entities in. type: string inferredEntityType: - description: If set, instructs Vault to turn on inferencing. The - only valid value is ec2_instance, which instructs Vault to infer - that the role comes from an EC2 instance in an IAM instance - profile. This only applies when auth_type is set to iam. The - type of inferencing Vault should do. + description: |- + If set, instructs Vault to turn on + inferencing. The only valid value is ec2_instance, which instructs Vault to + infer that the role comes from an EC2 instance in an IAM instance profile. + This only applies when auth_type is set to iam. + The type of inferencing Vault should do. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string resolveAwsUniqueIds: - description: Only valid when auth_type is iam. If set to true, - the bound_iam_principal_arns are resolved to AWS Unique IDs - for the bound principal ARN. This field is ignored when a bound_iam_principal_arn - ends in a wildcard. Resolving to unique IDs more closely mimics - the behavior of AWS services in that if an IAM user or role - is deleted and a new one is recreated with the same name, those - new users or roles won't get access to roles in Vault that were - permissioned to the prior principals of the same name. Defaults - to true. Once set to true, this cannot be changed to false without - recreating the role. Whether or not Vault should resolve the - bound_iam_principal_arn to an AWS Unique ID. When true, deleting - a principal and recreating it with the same name won't automatically - grant the new principal the same roles in Vault that the old - principal had. + description: |- + Only valid when + auth_type is iam. If set to true, the bound_iam_principal_arns are + resolved to AWS Unique + IDs + for the bound principal ARN. This field is ignored when a + bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more + closely mimics the behavior of AWS services in that if an IAM user or role is + deleted and a new one is recreated with the same name, those new users or + roles won't get access to roles in Vault that were permissioned to the prior + principals of the same name. Defaults to true. + Once set to true, this cannot be changed to false without recreating the role. + Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. type: boolean role: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string roleTag: - description: If set, enable role tags for this role. The value - set for this field should be the key of the tag on the EC2 instance. - auth_type must be set to ec2 or inferred_entity_type must be - set to ec2_instance to use this constraint. The key of the tag - on EC2 instance to use for role tags. + description: |- + If set, enable role tags for this role. The value set + for this field should be the key of the tag on the EC2 instance. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + The key of the tag on EC2 instance to use for role tags. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -537,45 +752,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -585,21 +765,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -609,17 +789,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -629,21 +811,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -658,21 +840,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -683,14 +866,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -706,233 +890,264 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: role is a required parameter + - message: spec.forProvider.role is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.role) - || has(self.initProvider.role)' + || (has(self.initProvider) && has(self.initProvider.role))' status: description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. properties: atProvider: properties: allowInstanceMigration: - description: If set to true, allows migration of the underlying - instance where the client resides. When true, allows migration - of the underlying instance where the client resides. Use with - caution. + description: |- + If set to true, allows migration of + the underlying instance where the client resides. + When true, allows migration of the underlying instance where the client resides. Use with caution. type: boolean authType: - description: The auth type permitted for this role. Valid choices - are ec2 and iam. Defaults to iam. The auth type permitted for - this role. + description: |- + The auth type permitted for this role. Valid choices + are ec2 and iam. Defaults to iam. + The auth type permitted for this role. type: string backend: - description: Path to the mounted aws auth backend. Unique name - of the auth backend to configure. + description: |- + Path to the mounted aws auth backend. + Unique name of the auth backend to configure. type: string boundAccountIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they should be using - the account ID specified by this field. auth_type must be set - to ec2 or inferred_entity_type must be set to ec2_instance to - use this constraint. Only EC2 instances with this account ID - in their identity document will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they should be using the + account ID specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances with this account ID in their identity document will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundAmiIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they should be using - the AMI ID specified by this field. auth_type must be set to - ec2 or inferred_entity_type must be set to ec2_instance to use - this constraint. Only EC2 instances using this AMI ID will be - permitted to log in. + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they should be using the AMI ID + specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances using this AMI ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundEc2InstanceIds: description: Only EC2 instances that match this instance ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundIamInstanceProfileArns: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they must be associated - with an IAM instance profile ARN which has a prefix that matches - the value specified by this field. The value is prefix-matched - as though it were a glob ending in *. auth_type must be set - to ec2 or inferred_entity_type must be set to ec2_instance to - use this constraint. Only EC2 instances associated with an IAM - instance profile ARN that matches this value will be permitted - to log in. + description: |- + If set, defines a constraint on + the EC2 instances that can perform the login operation that they must be + associated with an IAM instance profile ARN which has a prefix that matches + the value specified by this field. The value is prefix-matched as though it + were a glob ending in *. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundIamPrincipalArns: - description: If set, defines the IAM principal that must be authenticated - when auth_type is set to iam. Wildcards are supported at the - end of the ARN. The IAM principal that must be authenticated - using the iam auth method. + description: |- + If set, defines the IAM principal that + must be authenticated when auth_type is set to iam. Wildcards are + supported at the end of the ARN. + The IAM principal that must be authenticated using the iam auth method. items: type: string type: array + x-kubernetes-list-type: set boundIamRoleArns: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they must match the - IAM role ARN specified by this field. auth_type must be set - to ec2 or inferred_entity_type must be set to ec2_instance to - use this constraint. Only EC2 instances that match this IAM - role ARN will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they must match the IAM + role ARN specified by this field. auth_type must be set to ec2 or + inferred_entity_type must be set to ec2_instance to use this constraint. + Only EC2 instances that match this IAM role ARN will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundRegions: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that the region in their - identity document must match the one specified by this field. - auth_type must be set to ec2 or inferred_entity_type must be - set to ec2_instance to use this constraint. Only EC2 instances - in this region will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that the region in their identity + document must match the one specified by this field. auth_type must be set + to ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances in this region will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundSubnetIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they be associated - with the subnet ID that matches the value specified by this - field. auth_type must be set to ec2 or inferred_entity_type - must be set to ec2_instance to use this constraint. Only EC2 - instances associated with this subnet ID will be permitted to - log in. + description: |- + If set, defines a constraint on the EC2 + instances that can perform the login operation that they be associated with + the subnet ID that matches the value specified by this field. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + Only EC2 instances associated with this subnet ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set boundVpcIds: - description: If set, defines a constraint on the EC2 instances - that can perform the login operation that they be associated - with the VPC ID that matches the value specified by this field. - auth_type must be set to ec2 or inferred_entity_type must be - set to ec2_instance to use this constraint. Only EC2 instances - associated with this VPC ID will be permitted to log in. + description: |- + If set, defines a constraint on the EC2 instances + that can perform the login operation that they be associated with the VPC ID + that matches the value specified by this field. auth_type must be set to + ec2 or inferred_entity_type must be set to ec2_instance to use this + constraint. + Only EC2 instances associated with this VPC ID will be permitted to log in. items: type: string type: array + x-kubernetes-list-type: set disallowReauthentication: - description: IF set to true, only allows a single token to be - granted per instance ID. This can only be set when auth_type - is set to ec2. When true, only allows a single token to be granted - per instance ID. + description: |- + IF set to true, only allows a + single token to be granted per instance ID. This can only be set when + auth_type is set to ec2. + When true, only allows a single token to be granted per instance ID. type: boolean id: type: string inferredAwsRegion: - description: When inferred_entity_type is set, this is the region - to search for the inferred entities. Required if inferred_entity_type - is set. This only applies when auth_type is set to iam. The - region to search for the inferred entities in. + description: |- + When inferred_entity_type is set, this + is the region to search for the inferred entities. Required if + inferred_entity_type is set. This only applies when auth_type is set to + iam. + The region to search for the inferred entities in. type: string inferredEntityType: - description: If set, instructs Vault to turn on inferencing. The - only valid value is ec2_instance, which instructs Vault to infer - that the role comes from an EC2 instance in an IAM instance - profile. This only applies when auth_type is set to iam. The - type of inferencing Vault should do. + description: |- + If set, instructs Vault to turn on + inferencing. The only valid value is ec2_instance, which instructs Vault to + infer that the role comes from an EC2 instance in an IAM instance profile. + This only applies when auth_type is set to iam. + The type of inferencing Vault should do. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string resolveAwsUniqueIds: - description: Only valid when auth_type is iam. If set to true, - the bound_iam_principal_arns are resolved to AWS Unique IDs - for the bound principal ARN. This field is ignored when a bound_iam_principal_arn - ends in a wildcard. Resolving to unique IDs more closely mimics - the behavior of AWS services in that if an IAM user or role - is deleted and a new one is recreated with the same name, those - new users or roles won't get access to roles in Vault that were - permissioned to the prior principals of the same name. Defaults - to true. Once set to true, this cannot be changed to false without - recreating the role. Whether or not Vault should resolve the - bound_iam_principal_arn to an AWS Unique ID. When true, deleting - a principal and recreating it with the same name won't automatically - grant the new principal the same roles in Vault that the old - principal had. + description: |- + Only valid when + auth_type is iam. If set to true, the bound_iam_principal_arns are + resolved to AWS Unique + IDs + for the bound principal ARN. This field is ignored when a + bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more + closely mimics the behavior of AWS services in that if an IAM user or role is + deleted and a new one is recreated with the same name, those new users or + roles won't get access to roles in Vault that were permissioned to the prior + principals of the same name. Defaults to true. + Once set to true, this cannot be changed to false without recreating the role. + Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. type: boolean role: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string roleId: - description: The Vault generated role ID. The Vault generated - role ID. + description: |- + The Vault generated role ID. + The Vault generated role ID. type: string roleTag: - description: If set, enable role tags for this role. The value - set for this field should be the key of the tag on the EC2 instance. - auth_type must be set to ec2 or inferred_entity_type must be - set to ec2_instance to use this constraint. The key of the tag - on EC2 instance to use for role tags. + description: |- + If set, enable role tags for this role. The value set + for this field should be the key of the tag on the EC2 instance. auth_type + must be set to ec2 or inferred_entity_type must be set to ec2_instance + to use this constraint. + The key of the tag on EC2 instance to use for role tags. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object conditions: @@ -941,14 +1156,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -958,8 +1182,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -968,6 +1193,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_authbackendroletagblacklists.yaml b/package/crds/aws.vault.upbound.io_authbackendroletagblacklists.yaml index b3771edb..d284dfd3 100644 --- a/package/crds/aws.vault.upbound.io_authbackendroletagblacklists.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendroletagblacklists.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroletagblacklists.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -39,14 +39,19 @@ spec: entries. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,13 +61,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -70,83 +76,240 @@ spec: forProvider: properties: backend: - description: The path the AWS auth backend being configured was - mounted at. Unique name of the auth backend to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object disablePeriodicTidy: - description: If set to true, disables the periodic tidying of - the roletag blacklist entries. Defaults to false. If true, disables - the periodic tidying of the roletag blacklist entries. + description: |- + If set to true, disables the periodic + tidying of the roletag blacklist entries. Defaults to false. + If true, disables the periodic tidying of the roletag blacklist entries. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string safetyBuffer: - description: The amount of extra time that must have passed beyond - the roletag expiration, before it is removed from the backend - storage. Defaults to 259,200 seconds, or 72 hours. The amount - of extra time that must have passed beyond the roletag expiration, - before it's removed from backend storage. + description: |- + The amount of extra time that must have passed + beyond the roletag expiration, before it is removed from the backend storage. + Defaults to 259,200 seconds, or 72 hours. + The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The path the AWS auth backend being configured was - mounted at. Unique name of the auth backend to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object disablePeriodicTidy: - description: If set to true, disables the periodic tidying of - the roletag blacklist entries. Defaults to false. If true, disables - the periodic tidying of the roletag blacklist entries. + description: |- + If set to true, disables the periodic + tidying of the roletag blacklist entries. Defaults to false. + If true, disables the periodic tidying of the roletag blacklist entries. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string safetyBuffer: - description: The amount of extra time that must have passed beyond - the roletag expiration, before it is removed from the backend - storage. Defaults to 259,200 seconds, or 72 hours. The amount - of extra time that must have passed beyond the roletag expiration, - before it's removed from backend storage. + description: |- + The amount of extra time that must have passed + beyond the roletag expiration, before it is removed from the backend storage. + Defaults to 259,200 seconds, or 72 hours. + The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -159,45 +322,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -207,21 +335,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -231,17 +359,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -251,21 +381,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -280,21 +410,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -305,14 +436,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -327,11 +459,6 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' status: description: AuthBackendRoletagBlacklistStatus defines the observed state of AuthBackendRoletagBlacklist. @@ -339,29 +466,33 @@ spec: atProvider: properties: backend: - description: The path the AWS auth backend being configured was - mounted at. Unique name of the auth backend to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. + Unique name of the auth backend to configure. type: string disablePeriodicTidy: - description: If set to true, disables the periodic tidying of - the roletag blacklist entries. Defaults to false. If true, disables - the periodic tidying of the roletag blacklist entries. + description: |- + If set to true, disables the periodic + tidying of the roletag blacklist entries. Defaults to false. + If true, disables the periodic tidying of the roletag blacklist entries. type: boolean id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string safetyBuffer: - description: The amount of extra time that must have passed beyond - the roletag expiration, before it is removed from the backend - storage. Defaults to 259,200 seconds, or 72 hours. The amount - of extra time that must have passed beyond the roletag expiration, - before it's removed from backend storage. + description: |- + The amount of extra time that must have passed + beyond the roletag expiration, before it is removed from the backend storage. + Defaults to 259,200 seconds, or 72 hours. + The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. type: number type: object conditions: @@ -370,14 +501,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -387,8 +527,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -397,6 +538,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_authbackendroletags.yaml b/package/crds/aws.vault.upbound.io_authbackendroletags.yaml index 9ea85500..c71722e3 100644 --- a/package/crds/aws.vault.upbound.io_authbackendroletags.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendroletags.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroletags.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Reads role tags from a Vault AWS auth backend. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,123 +74,434 @@ spec: forProvider: properties: allowInstanceMigration: - description: If set, allows migration of the underlying instances - where the client resides. Use with caution. Allows migration - of the underlying instance where the client resides. + description: |- + If set, allows migration of the underlying instances where the client resides. Use with caution. + Allows migration of the underlying instance where the client resides. type: boolean backend: - description: The path to the AWS auth backend to read role tags - from, with no leading or trailing /s. Defaults to "aws". AWS - auth backend to read tags from. + description: |- + The path to the AWS auth backend to + read role tags from, with no leading or trailing /s. Defaults to "aws". + AWS auth backend to read tags from. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object disallowReauthentication: - description: If set, only allows a single token to be granted - per instance ID. Only allow a single token to be granted per - instance ID. + description: |- + If set, only allows a single token to be granted per instance ID. + Only allow a single token to be granted per instance ID. type: boolean instanceId: - description: Instance ID for which this tag is intended for. If - set, the created tag can only be used by the instance with the - given ID. Instance ID for which this tag is intended. The created - tag can only be used by the instance with the given ID. + description: |- + Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID. + Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID. type: string maxTtl: - description: The maximum TTL of the tokens issued using this role. + description: |- + The maximum TTL of the tokens issued using this role. The maximum allowed lifetime of tokens issued using this role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: The policies to be associated with the tag. Must - be a subset of the policies associated with the role. Policies - to be associated with the tag. + description: |- + The policies to be associated with the tag. Must be a subset of the policies associated with the role. + Policies to be associated with the tag. items: type: string type: array + x-kubernetes-list-type: set role: - description: The name of the AWS auth backend role to read role - tags from, with no leading or trailing /s. Name of the role. + description: |- + The name of the AWS auth backend role to read + role tags from, with no leading or trailing /s. + Name of the role. type: string + roleRef: + description: Reference to a AuthBackendRole in aws to populate + role. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleSelector: + description: Selector for a AuthBackendRole in aws to populate + role. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowInstanceMigration: - description: If set, allows migration of the underlying instances - where the client resides. Use with caution. Allows migration - of the underlying instance where the client resides. + description: |- + If set, allows migration of the underlying instances where the client resides. Use with caution. + Allows migration of the underlying instance where the client resides. type: boolean backend: - description: The path to the AWS auth backend to read role tags - from, with no leading or trailing /s. Defaults to "aws". AWS - auth backend to read tags from. + description: |- + The path to the AWS auth backend to + read role tags from, with no leading or trailing /s. Defaults to "aws". + AWS auth backend to read tags from. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object disallowReauthentication: - description: If set, only allows a single token to be granted - per instance ID. Only allow a single token to be granted per - instance ID. + description: |- + If set, only allows a single token to be granted per instance ID. + Only allow a single token to be granted per instance ID. type: boolean instanceId: - description: Instance ID for which this tag is intended for. If - set, the created tag can only be used by the instance with the - given ID. Instance ID for which this tag is intended. The created - tag can only be used by the instance with the given ID. + description: |- + Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID. + Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID. type: string maxTtl: - description: The maximum TTL of the tokens issued using this role. + description: |- + The maximum TTL of the tokens issued using this role. The maximum allowed lifetime of tokens issued using this role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: The policies to be associated with the tag. Must - be a subset of the policies associated with the role. Policies - to be associated with the tag. + description: |- + The policies to be associated with the tag. Must be a subset of the policies associated with the role. + Policies to be associated with the tag. items: type: string type: array + x-kubernetes-list-type: set role: - description: The name of the AWS auth backend role to read role - tags from, with no leading or trailing /s. Name of the role. + description: |- + The name of the AWS auth backend role to read + role tags from, with no leading or trailing /s. + Name of the role. type: string + roleRef: + description: Reference to a AuthBackendRole in aws to populate + role. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleSelector: + description: Selector for a AuthBackendRole in aws to populate + role. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -197,45 +514,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -245,21 +527,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -269,17 +551,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -289,21 +573,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -318,21 +602,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -343,14 +628,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -365,60 +651,60 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: role is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.role) - || has(self.initProvider.role)' status: description: AuthBackendRoleTagStatus defines the observed state of AuthBackendRoleTag. properties: atProvider: properties: allowInstanceMigration: - description: If set, allows migration of the underlying instances - where the client resides. Use with caution. Allows migration - of the underlying instance where the client resides. + description: |- + If set, allows migration of the underlying instances where the client resides. Use with caution. + Allows migration of the underlying instance where the client resides. type: boolean backend: - description: The path to the AWS auth backend to read role tags - from, with no leading or trailing /s. Defaults to "aws". AWS - auth backend to read tags from. + description: |- + The path to the AWS auth backend to + read role tags from, with no leading or trailing /s. Defaults to "aws". + AWS auth backend to read tags from. type: string disallowReauthentication: - description: If set, only allows a single token to be granted - per instance ID. Only allow a single token to be granted per - instance ID. + description: |- + If set, only allows a single token to be granted per instance ID. + Only allow a single token to be granted per instance ID. type: boolean id: type: string instanceId: - description: Instance ID for which this tag is intended for. If - set, the created tag can only be used by the instance with the - given ID. Instance ID for which this tag is intended. The created - tag can only be used by the instance with the given ID. + description: |- + Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID. + Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID. type: string maxTtl: - description: The maximum TTL of the tokens issued using this role. + description: |- + The maximum TTL of the tokens issued using this role. The maximum allowed lifetime of tokens issued using this role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: The policies to be associated with the tag. Must - be a subset of the policies associated with the role. Policies - to be associated with the tag. + description: |- + The policies to be associated with the tag. Must be a subset of the policies associated with the role. + Policies to be associated with the tag. items: type: string type: array + x-kubernetes-list-type: set role: - description: The name of the AWS auth backend role to read role - tags from, with no leading or trailing /s. Name of the role. + description: |- + The name of the AWS auth backend role to read + role tags from, with no leading or trailing /s. + Name of the role. type: string tagKey: description: The key of the role tag. @@ -433,14 +719,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -450,8 +745,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -460,6 +756,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_authbackendstsroles.yaml b/package/crds/aws.vault.upbound.io_authbackendstsroles.yaml index ddd9d92e..6d2354a0 100644 --- a/package/crds/aws.vault.upbound.io_authbackendstsroles.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendstsroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendstsroles.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Configures an STS role in the Vault AWS Auth backend. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,81 +74,236 @@ spec: forProvider: properties: accountId: - description: The AWS account ID to configure the STS role for. + description: |- + The AWS account ID to configure the STS role for. AWS account ID to be associated with STS role. type: string backend: - description: The path the AWS auth backend being configured was - mounted at. Defaults to aws. Unique name of the auth backend - to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. Defaults to aws. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string stsRole: - description: The STS role to assume when verifying requests made - by EC2 instances in the account specified by account_id. AWS - ARN for STS role to be assumed when interacting with the account - specified. + description: |- + The STS role to assume when verifying requests made + by EC2 instances in the account specified by account_id. + AWS ARN for STS role to be assumed when interacting with the account specified. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: accountId: - description: The AWS account ID to configure the STS role for. + description: |- + The AWS account ID to configure the STS role for. AWS account ID to be associated with STS role. type: string backend: - description: The path the AWS auth backend being configured was - mounted at. Defaults to aws. Unique name of the auth backend - to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. Defaults to aws. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string stsRole: - description: The STS role to assume when verifying requests made - by EC2 instances in the account specified by account_id. AWS - ARN for STS role to be assumed when interacting with the account - specified. + description: |- + The STS role to assume when verifying requests made + by EC2 instances in the account specified by account_id. + AWS ARN for STS role to be assumed when interacting with the account specified. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -155,45 +316,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -203,21 +329,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -227,17 +353,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -247,21 +375,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -276,21 +404,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -301,14 +430,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -324,42 +454,45 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: accountId is a required parameter + - message: spec.forProvider.accountId is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.accountId) - || has(self.initProvider.accountId)' - - message: stsRole is a required parameter + || (has(self.initProvider) && has(self.initProvider.accountId))' + - message: spec.forProvider.stsRole is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.stsRole) - || has(self.initProvider.stsRole)' + || (has(self.initProvider) && has(self.initProvider.stsRole))' status: description: AuthBackendStsRoleStatus defines the observed state of AuthBackendStsRole. properties: atProvider: properties: accountId: - description: The AWS account ID to configure the STS role for. + description: |- + The AWS account ID to configure the STS role for. AWS account ID to be associated with STS role. type: string backend: - description: The path the AWS auth backend being configured was - mounted at. Defaults to aws. Unique name of the auth backend - to configure. + description: |- + The path the AWS auth backend being configured was + mounted at. Defaults to aws. + Unique name of the auth backend to configure. type: string id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string stsRole: - description: The STS role to assume when verifying requests made - by EC2 instances in the account specified by account_id. AWS - ARN for STS role to be assumed when interacting with the account - specified. + description: |- + The STS role to assume when verifying requests made + by EC2 instances in the account specified by account_id. + AWS ARN for STS role to be assumed when interacting with the account specified. type: string type: object conditions: @@ -368,14 +501,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -385,8 +527,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -395,6 +538,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_secretbackendroles.yaml b/package/crds/aws.vault.upbound.io_secretbackendroles.yaml index 757bcde2..b1e209a7 100644 --- a/package/crds/aws.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/aws.vault.upbound.io_secretbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendroles.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Creates a role on an AWS Secret Backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,235 +74,442 @@ spec: forProvider: properties: backend: - description: The path the AWS secret backend is mounted at, with - no leading or trailing /s. The path of the AWS Secret Backend - the role belongs to. + description: |- + The path the AWS secret backend is mounted at, + with no leading or trailing /s. + The path of the AWS Secret Backend the role belongs to. type: string + backendRef: + description: Reference to a SecretBackend in aws to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in aws to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object credentialType: - description: Specifies the type of credential to be used when - retrieving credentials from the role. Must be one of iam_user, - assumed_role, or federation_token. Role credential type. + description: |- + Specifies the type of credential to be used when + retrieving credentials from the role. Must be one of iam_user, assumed_role, or + federation_token. + Role credential type. type: string defaultStsTtl: - description: The default TTL in seconds for STS credentials. When - a TTL is not specified when STS credentials are requested, and - a default TTL is specified on the role, then this default TTL - will be used. Valid only when credential_type is one of assumed_role - or federation_token. The default TTL in seconds for STS credentials. + description: |- + The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, - and a default TTL is specified on the role, then this default - TTL will be used. Valid only when credential_type is one of + and a default TTL is specified on the role, + then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. + The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. type: number + externalId: + description: |- + External ID to set for assume role creds. + Valid only when credential_type is set to assumed_role. + External ID to set for assume role creds. + type: string iamGroups: - description: A list of IAM group names. IAM users generated against - this vault role will be added to these IAM Groups. For a credential - type of assumed_role or federation_token, the policies sent - to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) - will be the policies from each group in iam_groups combined - with the policy_document and policy_arns parameters. A list - of IAM group names. IAM users generated against this vault role - will be added to these IAM Groups. For a credential type of - assumed_role or federation_token, the policies sent to the corresponding - AWS call (sts:AssumeRole or sts:GetFederation) will be the policies - from each group in iam_groups combined with the policy_document + description: |- + A list of IAM group names. IAM users generated + against this vault role will be added to these IAM Groups. For a credential + type of assumed_role or federation_token, the policies sent to the + corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the + policies from each group in iam_groups combined with the policy_document and policy_arns parameters. + A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. items: type: string type: array + x-kubernetes-list-type: set + iamTags: + additionalProperties: + type: string + description: |- + A map of strings representing key/value pairs + to be used as tags for any IAM user that is created by this role. + A map of strings representing key/value pairs used as tags for any IAM user created by this role. + type: object + x-kubernetes-map-type: granular maxStsTtl: - description: The max allowed TTL in seconds for STS credentials - (credentials TTL are capped to max_sts_ttl). Valid only when - credential_type is one of assumed_role or federation_token. - The max allowed TTL in seconds for STS credentials (credentials - TTL are capped to max_sts_ttl). Valid only when credential_type - is one of assumed_role or federation_token. + description: |- + The max allowed TTL in seconds for STS credentials + (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is + one of assumed_role or federation_token. + The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token. type: number name: - description: The name to identify this role within the backend. - Must be unique within the backend. Unique name for the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string permissionsBoundaryArn: - description: The ARN of the AWS Permissions Boundary to attach - to IAM users created in the role. Valid only when credential_type - is iam_user. If not specified, then no permissions boundary - policy will be attached. The ARN of the AWS Permissions Boundary - to attach to IAM users created in the role. Valid only when - credential_type is iam_user. If not specified, then no permissions - boundary policy will be attached. + description: |- + The ARN of the AWS Permissions + Boundary to attach to IAM users created in the role. Valid only when + credential_type is iam_user. If not specified, then no permissions boundary + policy will be attached. + The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached. type: string policyArns: - description: Specifies a list of AWS managed policy ARNs. The - behavior depends on the credential type. With iam_user, the - policies will be attached to IAM users when they are requested. - With assumed_role and federation_token, the policy ARNs will - act as a filter on what the credentials can do, similar to policy_document. - When credential_type is iam_user or federation_token, at least - one of policy_document or policy_arns must be specified. ARN - for an existing IAM policy the role should use. + description: |- + Specifies a list of AWS managed policy ARNs. The + behavior depends on the credential type. With iam_user, the policies will be + attached to IAM users when they are requested. With assumed_role and + federation_token, the policy ARNs will act as a filter on what the credentials + can do, similar to policy_document. When credential_type is iam_user or + federation_token, at least one of policy_document or policy_arns must + be specified. + ARN for an existing IAM policy the role should use. items: type: string type: array + x-kubernetes-list-type: set policyDocument: - description: The IAM policy document for the role. The behavior - depends on the credential type. With iam_user, the policy document - will be attached to the IAM user generated and augment the permissions - the IAM user has. With assumed_role and federation_token, the - policy document will act as a filter on what the credentials - can do, similar to policy_arns. IAM policy the role should use - in JSON format. + description: |- + The IAM policy document for the role. The + behavior depends on the credential type. With iam_user, the policy document + will be attached to the IAM user generated and augment the permissions the IAM + user has. With assumed_role and federation_token, the policy document will + act as a filter on what the credentials can do, similar to policy_arns. + IAM policy the role should use in JSON format. type: string roleArns: - description: Specifies the ARNs of the AWS roles this Vault role - is allowed to assume. Required when credential_type is assumed_role - and prohibited otherwise. ARNs of AWS roles allowed to be assumed. - Only valid when credential_type is 'assumed_role' + description: |- + Specifies the ARNs of the AWS roles this Vault role + is allowed to assume. Required when credential_type is assumed_role and + prohibited otherwise. + ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' items: type: string type: array + x-kubernetes-list-type: set + sessionTags: + additionalProperties: + type: string + description: |- + A map of strings representing key/value pairs to be set + during assume role creds creation. Valid only when credential_type is set to + assumed_role. + Session tags to be set for assume role creds created. + type: object + x-kubernetes-map-type: granular userPath: - description: The path for the user name. Valid only when credential_type - is iam_user. Default is /. The path for the user name. Valid - only when credential_type is iam_user. Default is / + description: |- + The path for the user name. Valid only when + credential_type is iam_user. Default is /. + The path for the user name. Valid only when credential_type is iam_user. Default is / type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The path the AWS secret backend is mounted at, with - no leading or trailing /s. The path of the AWS Secret Backend - the role belongs to. + description: |- + The path the AWS secret backend is mounted at, + with no leading or trailing /s. + The path of the AWS Secret Backend the role belongs to. type: string + backendRef: + description: Reference to a SecretBackend in aws to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in aws to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object credentialType: - description: Specifies the type of credential to be used when - retrieving credentials from the role. Must be one of iam_user, - assumed_role, or federation_token. Role credential type. + description: |- + Specifies the type of credential to be used when + retrieving credentials from the role. Must be one of iam_user, assumed_role, or + federation_token. + Role credential type. type: string defaultStsTtl: - description: The default TTL in seconds for STS credentials. When - a TTL is not specified when STS credentials are requested, and - a default TTL is specified on the role, then this default TTL - will be used. Valid only when credential_type is one of assumed_role - or federation_token. The default TTL in seconds for STS credentials. + description: |- + The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, - and a default TTL is specified on the role, then this default - TTL will be used. Valid only when credential_type is one of + and a default TTL is specified on the role, + then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. + The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. type: number + externalId: + description: |- + External ID to set for assume role creds. + Valid only when credential_type is set to assumed_role. + External ID to set for assume role creds. + type: string iamGroups: - description: A list of IAM group names. IAM users generated against - this vault role will be added to these IAM Groups. For a credential - type of assumed_role or federation_token, the policies sent - to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) - will be the policies from each group in iam_groups combined - with the policy_document and policy_arns parameters. A list - of IAM group names. IAM users generated against this vault role - will be added to these IAM Groups. For a credential type of - assumed_role or federation_token, the policies sent to the corresponding - AWS call (sts:AssumeRole or sts:GetFederation) will be the policies - from each group in iam_groups combined with the policy_document + description: |- + A list of IAM group names. IAM users generated + against this vault role will be added to these IAM Groups. For a credential + type of assumed_role or federation_token, the policies sent to the + corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the + policies from each group in iam_groups combined with the policy_document and policy_arns parameters. + A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. items: type: string type: array + x-kubernetes-list-type: set + iamTags: + additionalProperties: + type: string + description: |- + A map of strings representing key/value pairs + to be used as tags for any IAM user that is created by this role. + A map of strings representing key/value pairs used as tags for any IAM user created by this role. + type: object + x-kubernetes-map-type: granular maxStsTtl: - description: The max allowed TTL in seconds for STS credentials - (credentials TTL are capped to max_sts_ttl). Valid only when - credential_type is one of assumed_role or federation_token. - The max allowed TTL in seconds for STS credentials (credentials - TTL are capped to max_sts_ttl). Valid only when credential_type - is one of assumed_role or federation_token. + description: |- + The max allowed TTL in seconds for STS credentials + (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is + one of assumed_role or federation_token. + The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token. type: number name: - description: The name to identify this role within the backend. - Must be unique within the backend. Unique name for the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string permissionsBoundaryArn: - description: The ARN of the AWS Permissions Boundary to attach - to IAM users created in the role. Valid only when credential_type - is iam_user. If not specified, then no permissions boundary - policy will be attached. The ARN of the AWS Permissions Boundary - to attach to IAM users created in the role. Valid only when - credential_type is iam_user. If not specified, then no permissions - boundary policy will be attached. + description: |- + The ARN of the AWS Permissions + Boundary to attach to IAM users created in the role. Valid only when + credential_type is iam_user. If not specified, then no permissions boundary + policy will be attached. + The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached. type: string policyArns: - description: Specifies a list of AWS managed policy ARNs. The - behavior depends on the credential type. With iam_user, the - policies will be attached to IAM users when they are requested. - With assumed_role and federation_token, the policy ARNs will - act as a filter on what the credentials can do, similar to policy_document. - When credential_type is iam_user or federation_token, at least - one of policy_document or policy_arns must be specified. ARN - for an existing IAM policy the role should use. + description: |- + Specifies a list of AWS managed policy ARNs. The + behavior depends on the credential type. With iam_user, the policies will be + attached to IAM users when they are requested. With assumed_role and + federation_token, the policy ARNs will act as a filter on what the credentials + can do, similar to policy_document. When credential_type is iam_user or + federation_token, at least one of policy_document or policy_arns must + be specified. + ARN for an existing IAM policy the role should use. items: type: string type: array + x-kubernetes-list-type: set policyDocument: - description: The IAM policy document for the role. The behavior - depends on the credential type. With iam_user, the policy document - will be attached to the IAM user generated and augment the permissions - the IAM user has. With assumed_role and federation_token, the - policy document will act as a filter on what the credentials - can do, similar to policy_arns. IAM policy the role should use - in JSON format. + description: |- + The IAM policy document for the role. The + behavior depends on the credential type. With iam_user, the policy document + will be attached to the IAM user generated and augment the permissions the IAM + user has. With assumed_role and federation_token, the policy document will + act as a filter on what the credentials can do, similar to policy_arns. + IAM policy the role should use in JSON format. type: string roleArns: - description: Specifies the ARNs of the AWS roles this Vault role - is allowed to assume. Required when credential_type is assumed_role - and prohibited otherwise. ARNs of AWS roles allowed to be assumed. - Only valid when credential_type is 'assumed_role' + description: |- + Specifies the ARNs of the AWS roles this Vault role + is allowed to assume. Required when credential_type is assumed_role and + prohibited otherwise. + ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' items: type: string type: array + x-kubernetes-list-type: set + sessionTags: + additionalProperties: + type: string + description: |- + A map of strings representing key/value pairs to be set + during assume role creds creation. Valid only when credential_type is set to + assumed_role. + Session tags to be set for assume role creds created. + type: object + x-kubernetes-map-type: granular userPath: - description: The path for the user name. Valid only when credential_type - is iam_user. Default is /. The path for the user name. Valid - only when credential_type is iam_user. Default is / + description: |- + The path for the user name. Valid only when + credential_type is iam_user. Default is /. + The path for the user name. Valid only when credential_type is iam_user. Default is / type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -309,9 +522,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -321,57 +535,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -381,17 +559,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -401,21 +581,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -430,21 +610,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -455,14 +636,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -478,123 +660,148 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: credentialType is a required parameter + - message: spec.forProvider.credentialType is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.credentialType) - || has(self.initProvider.credentialType)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.credentialType))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: SecretBackendRoleStatus defines the observed state of SecretBackendRole. properties: atProvider: properties: backend: - description: The path the AWS secret backend is mounted at, with - no leading or trailing /s. The path of the AWS Secret Backend - the role belongs to. + description: |- + The path the AWS secret backend is mounted at, + with no leading or trailing /s. + The path of the AWS Secret Backend the role belongs to. type: string credentialType: - description: Specifies the type of credential to be used when - retrieving credentials from the role. Must be one of iam_user, - assumed_role, or federation_token. Role credential type. + description: |- + Specifies the type of credential to be used when + retrieving credentials from the role. Must be one of iam_user, assumed_role, or + federation_token. + Role credential type. type: string defaultStsTtl: - description: The default TTL in seconds for STS credentials. When - a TTL is not specified when STS credentials are requested, and - a default TTL is specified on the role, then this default TTL - will be used. Valid only when credential_type is one of assumed_role - or federation_token. The default TTL in seconds for STS credentials. + description: |- + The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, - and a default TTL is specified on the role, then this default - TTL will be used. Valid only when credential_type is one of + and a default TTL is specified on the role, + then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. + The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. type: number + externalId: + description: |- + External ID to set for assume role creds. + Valid only when credential_type is set to assumed_role. + External ID to set for assume role creds. + type: string iamGroups: - description: A list of IAM group names. IAM users generated against - this vault role will be added to these IAM Groups. For a credential - type of assumed_role or federation_token, the policies sent - to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) - will be the policies from each group in iam_groups combined - with the policy_document and policy_arns parameters. A list - of IAM group names. IAM users generated against this vault role - will be added to these IAM Groups. For a credential type of - assumed_role or federation_token, the policies sent to the corresponding - AWS call (sts:AssumeRole or sts:GetFederation) will be the policies - from each group in iam_groups combined with the policy_document + description: |- + A list of IAM group names. IAM users generated + against this vault role will be added to these IAM Groups. For a credential + type of assumed_role or federation_token, the policies sent to the + corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the + policies from each group in iam_groups combined with the policy_document and policy_arns parameters. + A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. items: type: string type: array + x-kubernetes-list-type: set + iamTags: + additionalProperties: + type: string + description: |- + A map of strings representing key/value pairs + to be used as tags for any IAM user that is created by this role. + A map of strings representing key/value pairs used as tags for any IAM user created by this role. + type: object + x-kubernetes-map-type: granular id: type: string maxStsTtl: - description: The max allowed TTL in seconds for STS credentials - (credentials TTL are capped to max_sts_ttl). Valid only when - credential_type is one of assumed_role or federation_token. - The max allowed TTL in seconds for STS credentials (credentials - TTL are capped to max_sts_ttl). Valid only when credential_type - is one of assumed_role or federation_token. + description: |- + The max allowed TTL in seconds for STS credentials + (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is + one of assumed_role or federation_token. + The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token. type: number name: - description: The name to identify this role within the backend. - Must be unique within the backend. Unique name for the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string permissionsBoundaryArn: - description: The ARN of the AWS Permissions Boundary to attach - to IAM users created in the role. Valid only when credential_type - is iam_user. If not specified, then no permissions boundary - policy will be attached. The ARN of the AWS Permissions Boundary - to attach to IAM users created in the role. Valid only when - credential_type is iam_user. If not specified, then no permissions - boundary policy will be attached. + description: |- + The ARN of the AWS Permissions + Boundary to attach to IAM users created in the role. Valid only when + credential_type is iam_user. If not specified, then no permissions boundary + policy will be attached. + The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached. type: string policyArns: - description: Specifies a list of AWS managed policy ARNs. The - behavior depends on the credential type. With iam_user, the - policies will be attached to IAM users when they are requested. - With assumed_role and federation_token, the policy ARNs will - act as a filter on what the credentials can do, similar to policy_document. - When credential_type is iam_user or federation_token, at least - one of policy_document or policy_arns must be specified. ARN - for an existing IAM policy the role should use. + description: |- + Specifies a list of AWS managed policy ARNs. The + behavior depends on the credential type. With iam_user, the policies will be + attached to IAM users when they are requested. With assumed_role and + federation_token, the policy ARNs will act as a filter on what the credentials + can do, similar to policy_document. When credential_type is iam_user or + federation_token, at least one of policy_document or policy_arns must + be specified. + ARN for an existing IAM policy the role should use. items: type: string type: array + x-kubernetes-list-type: set policyDocument: - description: The IAM policy document for the role. The behavior - depends on the credential type. With iam_user, the policy document - will be attached to the IAM user generated and augment the permissions - the IAM user has. With assumed_role and federation_token, the - policy document will act as a filter on what the credentials - can do, similar to policy_arns. IAM policy the role should use - in JSON format. + description: |- + The IAM policy document for the role. The + behavior depends on the credential type. With iam_user, the policy document + will be attached to the IAM user generated and augment the permissions the IAM + user has. With assumed_role and federation_token, the policy document will + act as a filter on what the credentials can do, similar to policy_arns. + IAM policy the role should use in JSON format. type: string roleArns: - description: Specifies the ARNs of the AWS roles this Vault role - is allowed to assume. Required when credential_type is assumed_role - and prohibited otherwise. ARNs of AWS roles allowed to be assumed. - Only valid when credential_type is 'assumed_role' + description: |- + Specifies the ARNs of the AWS roles this Vault role + is allowed to assume. Required when credential_type is assumed_role and + prohibited otherwise. + ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' items: type: string type: array + x-kubernetes-list-type: set + sessionTags: + additionalProperties: + type: string + description: |- + A map of strings representing key/value pairs to be set + during assume role creds creation. Valid only when credential_type is set to + assumed_role. + Session tags to be set for assume role creds created. + type: object + x-kubernetes-map-type: granular userPath: - description: The path for the user name. Valid only when credential_type - is iam_user. Default is /. The path for the user name. Valid - only when credential_type is iam_user. Default is / + description: |- + The path for the user name. Valid only when + credential_type is iam_user. Default is /. + The path for the user name. Valid only when credential_type is iam_user. Default is / type: string type: object conditions: @@ -603,14 +810,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -620,8 +836,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -630,6 +847,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/aws.vault.upbound.io_secretbackends.yaml b/package/crds/aws.vault.upbound.io_secretbackends.yaml index 9f8cbdca..26d91539 100644 --- a/package/crds/aws.vault.upbound.io_secretbackends.yaml +++ b/package/crds/aws.vault.upbound.io_secretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackends.aws.vault.upbound.io spec: group: aws.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: an AWS secret backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,11 +74,10 @@ spec: forProvider: properties: accessKeySecretRef: - description: The AWS Access Key ID this backend should use to - issue new credentials. Vault uses the official AWS SDK to authenticate, - and thus can also use standard AWS environment credentials, - shared file credentials or IAM role/ECS task credentials. The - AWS Access Key ID to use when generating new credentials. + description: |- + The AWS Access Key ID this backend should use to + issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. + The AWS Access Key ID to use when generating new credentials. properties: key: description: The key to select. @@ -89,72 +94,82 @@ spec: - namespace type: object defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials + issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean iamEndpoint: - description: Specifies a custom HTTP IAM endpoint to use. Specifies - a custom HTTP IAM endpoint to use. + description: |- + Specifies a custom HTTP IAM endpoint to use. + Specifies a custom HTTP IAM endpoint to use. type: string identityTokenAudience: - description: The audience claim value. Requires Vault 1.16+. The - audience claim value. + description: |- + The audience claim value. Requires Vault 1.16+. + The audience claim value. type: string identityTokenKey: - description: The key to use for signing identity tokens. Requires - Vault 1.16+. The key to use for signing identity tokens. + description: |- + The key to use for signing identity tokens. Requires Vault 1.16+. + The key to use for signing identity tokens. type: string identityTokenTtl: - description: The TTL of generated identity tokens in seconds. - Requires Vault 1.16+. The TTL of generated identity tokens in - seconds. + description: |- + The TTL of generated identity tokens in seconds. Requires Vault 1.16+. + The TTL of generated identity tokens in seconds. type: number local: - description: Specifies whether the secrets mount will be marked - as local. Local mounts are not replicated to performance replicas. + description: |- + Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas. Specifies if the secret backend is local only type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to aws. Path to mount - the backend at. + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to aws. + Path to mount the backend at. type: string region: - description: The AWS region for API calls. Defaults to us-east-1. + description: |- + The AWS region for API calls. Defaults to us-east-1. The AWS region to make API calls against. Defaults to us-east-1. type: string roleArn: - description: Role ARN to assume for plugin identity token federation. - Requires Vault 1.16+. Role ARN to assume for plugin identity - token federation. + description: |- + Role ARN to assume for plugin identity token federation. Requires Vault 1.16+. + Role ARN to assume for plugin identity token federation. type: string secretKeySecretRef: - description: The AWS Secret Key this backend should use to issue - new credentials. Vault uses the official AWS SDK to authenticate, - and thus can also use standard AWS environment credentials, - shared file credentials or IAM role/ECS task credentials. The - AWS Secret Access Key to use when generating new credentials. + description: |- + The AWS Secret Key this backend should use to + issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. + The AWS Secret Access Key to use when generating new credentials. properties: key: description: The key to select. @@ -171,120 +186,170 @@ spec: - namespace type: object stsEndpoint: - description: Specifies a custom HTTP STS endpoint to use. Specifies - a custom HTTP STS endpoint to use. + description: |- + Specifies a custom HTTP STS endpoint to use. + Specifies a custom HTTP STS endpoint to use. type: string usernameTemplate: - description: 'Template describing how dynamic usernames are generated. - The username template is used to generate both IAM usernames - (capped at 64 characters) and STS usernames (capped at 32 characters). - If no template is provided the field defaults to the template: - Template describing how dynamic usernames are generated.' + description: |- + Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: + Template describing how dynamic usernames are generated. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + accessKeySecretRef: + description: |- + The AWS Access Key ID this backend should use to + issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. + The AWS Access Key ID to use when generating new credentials. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials + issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean iamEndpoint: - description: Specifies a custom HTTP IAM endpoint to use. Specifies - a custom HTTP IAM endpoint to use. + description: |- + Specifies a custom HTTP IAM endpoint to use. + Specifies a custom HTTP IAM endpoint to use. type: string identityTokenAudience: - description: The audience claim value. Requires Vault 1.16+. The - audience claim value. + description: |- + The audience claim value. Requires Vault 1.16+. + The audience claim value. type: string identityTokenKey: - description: The key to use for signing identity tokens. Requires - Vault 1.16+. The key to use for signing identity tokens. + description: |- + The key to use for signing identity tokens. Requires Vault 1.16+. + The key to use for signing identity tokens. type: string identityTokenTtl: - description: The TTL of generated identity tokens in seconds. - Requires Vault 1.16+. The TTL of generated identity tokens in - seconds. + description: |- + The TTL of generated identity tokens in seconds. Requires Vault 1.16+. + The TTL of generated identity tokens in seconds. type: number local: - description: Specifies whether the secrets mount will be marked - as local. Local mounts are not replicated to performance replicas. + description: |- + Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas. Specifies if the secret backend is local only type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to aws. Path to mount - the backend at. + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to aws. + Path to mount the backend at. type: string region: - description: The AWS region for API calls. Defaults to us-east-1. + description: |- + The AWS region for API calls. Defaults to us-east-1. The AWS region to make API calls against. Defaults to us-east-1. type: string roleArn: - description: Role ARN to assume for plugin identity token federation. - Requires Vault 1.16+. Role ARN to assume for plugin identity - token federation. + description: |- + Role ARN to assume for plugin identity token federation. Requires Vault 1.16+. + Role ARN to assume for plugin identity token federation. type: string + secretKeySecretRef: + description: |- + The AWS Secret Key this backend should use to + issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. + The AWS Secret Access Key to use when generating new credentials. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object stsEndpoint: - description: Specifies a custom HTTP STS endpoint to use. Specifies - a custom HTTP STS endpoint to use. + description: |- + Specifies a custom HTTP STS endpoint to use. + Specifies a custom HTTP STS endpoint to use. type: string usernameTemplate: - description: 'Template describing how dynamic usernames are generated. - The username template is used to generate both IAM usernames - (capped at 64 characters) and STS usernames (capped at 32 characters). - If no template is provided the field defaults to the template: - Template describing how dynamic usernames are generated.' + description: |- + Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: + Template describing how dynamic usernames are generated. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -297,45 +362,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -345,21 +375,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -369,17 +399,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -389,21 +421,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -418,21 +450,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -443,14 +476,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -471,78 +505,88 @@ spec: atProvider: properties: defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials + issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean iamEndpoint: - description: Specifies a custom HTTP IAM endpoint to use. Specifies - a custom HTTP IAM endpoint to use. + description: |- + Specifies a custom HTTP IAM endpoint to use. + Specifies a custom HTTP IAM endpoint to use. type: string id: type: string identityTokenAudience: - description: The audience claim value. Requires Vault 1.16+. The - audience claim value. + description: |- + The audience claim value. Requires Vault 1.16+. + The audience claim value. type: string identityTokenKey: - description: The key to use for signing identity tokens. Requires - Vault 1.16+. The key to use for signing identity tokens. + description: |- + The key to use for signing identity tokens. Requires Vault 1.16+. + The key to use for signing identity tokens. type: string identityTokenTtl: - description: The TTL of generated identity tokens in seconds. - Requires Vault 1.16+. The TTL of generated identity tokens in - seconds. + description: |- + The TTL of generated identity tokens in seconds. Requires Vault 1.16+. + The TTL of generated identity tokens in seconds. type: number local: - description: Specifies whether the secrets mount will be marked - as local. Local mounts are not replicated to performance replicas. + description: |- + Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas. Specifies if the secret backend is local only type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to aws. Path to mount - the backend at. + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to aws. + Path to mount the backend at. type: string region: - description: The AWS region for API calls. Defaults to us-east-1. + description: |- + The AWS region for API calls. Defaults to us-east-1. The AWS region to make API calls against. Defaults to us-east-1. type: string roleArn: - description: Role ARN to assume for plugin identity token federation. - Requires Vault 1.16+. Role ARN to assume for plugin identity - token federation. + description: |- + Role ARN to assume for plugin identity token federation. Requires Vault 1.16+. + Role ARN to assume for plugin identity token federation. type: string stsEndpoint: - description: Specifies a custom HTTP STS endpoint to use. Specifies - a custom HTTP STS endpoint to use. + description: |- + Specifies a custom HTTP STS endpoint to use. + Specifies a custom HTTP STS endpoint to use. type: string usernameTemplate: - description: 'Template describing how dynamic usernames are generated. - The username template is used to generate both IAM usernames - (capped at 64 characters) and STS usernames (capped at 32 characters). - If no template is provided the field defaults to the template: - Template describing how dynamic usernames are generated.' + description: |- + Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: + Template describing how dynamic usernames are generated. type: string type: object conditions: @@ -551,14 +595,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -568,8 +621,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -578,6 +632,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml b/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml index 1d62b464..fdff2925 100644 --- a/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml +++ b/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendconfigs.azure.vault.upbound.io spec: group: azure.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Configures the Azure Auth Backend in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,16 +74,90 @@ spec: forProvider: properties: backend: - description: The path the Azure auth backend being configured - was mounted at. Defaults to azure. Unique name of the auth - backend to configure. + description: |- + The path the Azure auth backend being configured was + mounted at. Defaults to azure. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object clientIdSecretRef: - description: The client id for credentials to query the Azure - APIs. Currently read permissions to query compute resources - are required. The client id for credentials to query the Azure - APIs. Currently read permissions to query compute resources - are required. + description: |- + The client id for credentials to query the Azure APIs. + Currently read permissions to query compute resources are required. + The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. properties: key: description: The key to select. @@ -94,8 +174,10 @@ spec: - namespace type: object clientSecretSecretRef: - description: The client secret for credentials to query the Azure - APIs. The client secret for credentials to query the Azure APIs + description: |- + The client secret for credentials to query the + Azure APIs. + The client secret for credentials to query the Azure APIs properties: key: description: The key to select. @@ -112,25 +194,43 @@ spec: - namespace type: object environment: - description: 'The Azure cloud environment. Valid values: AzurePublicCloud, - AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Defaults - to AzurePublicCloud. The Azure cloud environment. Valid values: - AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.' + description: |- + The Azure cloud environment. Valid values: + AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, + AzureGermanCloud. Defaults to AzurePublicCloud. + The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. type: string + identityTokenAudience: + description: |- + The audience claim value for plugin identity tokens. Requires Vault 1.17+. + Available only for Vault Enterprise + The audience claim value. + type: string + identityTokenTtl: + description: |- + The TTL of generated identity tokens in seconds. + Defaults to 1 hour. Uses duration format strings. + Requires Vault 1.17+. Available only for Vault Enterprise + The TTL of generated identity tokens in seconds. + type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string resource: - description: The configured URL for the application registered - in Azure Active Directory. The configured URL for the application - registered in Azure Active Directory. + description: |- + The configured URL for the application registered in + Azure Active Directory. + The configured URL for the application registered in Azure Active Directory. type: string tenantIdSecretRef: - description: The tenant id for the Azure Active Directory organization. + description: |- + The tenant id for the Azure Active Directory + organization. The tenant id for the Azure Active Directory organization. properties: key: @@ -149,59 +249,213 @@ spec: type: object type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The path the Azure auth backend being configured - was mounted at. Defaults to azure. Unique name of the auth - backend to configure. + description: |- + The path the Azure auth backend being configured was + mounted at. Defaults to azure. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + clientIdSecretRef: + description: |- + The client id for credentials to query the Azure APIs. + Currently read permissions to query compute resources are required. + The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + clientSecretSecretRef: + description: |- + The client secret for credentials to query the + Azure APIs. + The client secret for credentials to query the Azure APIs + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object environment: - description: 'The Azure cloud environment. Valid values: AzurePublicCloud, - AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Defaults - to AzurePublicCloud. The Azure cloud environment. Valid values: - AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.' + description: |- + The Azure cloud environment. Valid values: + AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, + AzureGermanCloud. Defaults to AzurePublicCloud. + The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. type: string + identityTokenAudience: + description: |- + The audience claim value for plugin identity tokens. Requires Vault 1.17+. + Available only for Vault Enterprise + The audience claim value. + type: string + identityTokenTtl: + description: |- + The TTL of generated identity tokens in seconds. + Defaults to 1 hour. Uses duration format strings. + Requires Vault 1.17+. Available only for Vault Enterprise + The TTL of generated identity tokens in seconds. + type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string resource: - description: The configured URL for the application registered - in Azure Active Directory. The configured URL for the application - registered in Azure Active Directory. + description: |- + The configured URL for the application registered in + Azure Active Directory. + The configured URL for the application registered in Azure Active Directory. type: string + tenantIdSecretRef: + description: |- + The tenant id for the Azure Active Directory + organization. + The tenant id for the Azure Active Directory organization. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + required: + - tenantIdSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -214,45 +468,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -262,21 +481,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -286,17 +505,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -306,21 +527,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -335,21 +556,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -360,14 +582,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -383,11 +606,11 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: resource is a required parameter + - message: spec.forProvider.resource is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.resource) - || has(self.initProvider.resource)' - - message: tenantIdSecretRef is a required parameter + || (has(self.initProvider) && has(self.initProvider.resource))' + - message: spec.forProvider.tenantIdSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.tenantIdSecretRef)' status: @@ -396,29 +619,46 @@ spec: atProvider: properties: backend: - description: The path the Azure auth backend being configured - was mounted at. Defaults to azure. Unique name of the auth - backend to configure. + description: |- + The path the Azure auth backend being configured was + mounted at. Defaults to azure. + Unique name of the auth backend to configure. type: string environment: - description: 'The Azure cloud environment. Valid values: AzurePublicCloud, - AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Defaults - to AzurePublicCloud. The Azure cloud environment. Valid values: - AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.' + description: |- + The Azure cloud environment. Valid values: + AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, + AzureGermanCloud. Defaults to AzurePublicCloud. + The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. type: string id: type: string + identityTokenAudience: + description: |- + The audience claim value for plugin identity tokens. Requires Vault 1.17+. + Available only for Vault Enterprise + The audience claim value. + type: string + identityTokenTtl: + description: |- + The TTL of generated identity tokens in seconds. + Defaults to 1 hour. Uses duration format strings. + Requires Vault 1.17+. Available only for Vault Enterprise + The TTL of generated identity tokens in seconds. + type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string resource: - description: The configured URL for the application registered - in Azure Active Directory. The configured URL for the application - registered in Azure Active Directory. + description: |- + The configured URL for the application registered in + Azure Active Directory. + The configured URL for the application registered in Azure Active Directory. type: string type: object conditions: @@ -427,14 +667,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -444,8 +693,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -454,6 +704,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/azure.vault.upbound.io_authbackendroles.yaml b/package/crds/azure.vault.upbound.io_authbackendroles.yaml index a88bfd41..63ea7426 100644 --- a/package/crds/azure.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/azure.vault.upbound.io_authbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroles.azure.vault.upbound.io spec: group: azure.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Azure auth backend roles in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -70,275 +76,460 @@ spec: backend: description: Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object boundGroupIds: - description: If set, defines a constraint on the groups that can - perform the login operation that they should be using the group - ID specified by this field. The list of group ids that login - is restricted to. + description: |- + If set, defines a constraint on the groups + that can perform the login operation that they should be using the group + ID specified by this field. + The list of group ids that login is restricted to. items: type: string type: array boundLocations: - description: If set, defines a constraint on the virtual machines - that can perform the login operation that the location in their - identity document must match the one specified by this field. + description: |- + If set, defines a constraint on the virtual machines + that can perform the login operation that the location in their identity + document must match the one specified by this field. The list of locations that login is restricted to. items: type: string type: array boundResourceGroups: - description: If set, defines a constraint on the virtual machines - that can perform the login operation that they be associated - with the resource group that matches the value specified by - this field. The list of resource groups that login is restricted - to. + description: |- + If set, defines a constraint on the virtual + machines that can perform the login operation that they be associated with + the resource group that matches the value specified by this field. + The list of resource groups that login is restricted to. items: type: string type: array boundScaleSets: - description: If set, defines a constraint on the virtual machines - that can perform the login operation that they must match the - scale set specified by this field. The list of scale set names - that the login is restricted to. + description: |- + If set, defines a constraint on the virtual + machines that can perform the login operation that they must match the scale set + specified by this field. + The list of scale set names that the login is restricted to. items: type: string type: array boundServicePrincipalIds: - description: If set, defines a constraint on the service principals - that can perform the login operation that they should be possess - the ids specified by this field. The list of Service Principal - IDs that login is restricted to. + description: |- + If set, defines a constraint on the + service principals that can perform the login operation that they should be possess + the ids specified by this field. + The list of Service Principal IDs that login is restricted to. items: type: string type: array boundSubscriptionIds: - description: If set, defines a constraint on the subscriptions - that can perform the login operation to ones which matches - the value specified by this field. The list of subscription - IDs that login is restricted to. + description: |- + If set, defines a constraint on the subscriptions + that can perform the login operation to ones which matches the value specified by this + field. + The list of subscription IDs that login is restricted to. items: type: string type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: description: Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object boundGroupIds: - description: If set, defines a constraint on the groups that can - perform the login operation that they should be using the group - ID specified by this field. The list of group ids that login - is restricted to. + description: |- + If set, defines a constraint on the groups + that can perform the login operation that they should be using the group + ID specified by this field. + The list of group ids that login is restricted to. items: type: string type: array boundLocations: - description: If set, defines a constraint on the virtual machines - that can perform the login operation that the location in their - identity document must match the one specified by this field. + description: |- + If set, defines a constraint on the virtual machines + that can perform the login operation that the location in their identity + document must match the one specified by this field. The list of locations that login is restricted to. items: type: string type: array boundResourceGroups: - description: If set, defines a constraint on the virtual machines - that can perform the login operation that they be associated - with the resource group that matches the value specified by - this field. The list of resource groups that login is restricted - to. + description: |- + If set, defines a constraint on the virtual + machines that can perform the login operation that they be associated with + the resource group that matches the value specified by this field. + The list of resource groups that login is restricted to. items: type: string type: array boundScaleSets: - description: If set, defines a constraint on the virtual machines - that can perform the login operation that they must match the - scale set specified by this field. The list of scale set names - that the login is restricted to. + description: |- + If set, defines a constraint on the virtual + machines that can perform the login operation that they must match the scale set + specified by this field. + The list of scale set names that the login is restricted to. items: type: string type: array boundServicePrincipalIds: - description: If set, defines a constraint on the service principals - that can perform the login operation that they should be possess - the ids specified by this field. The list of Service Principal - IDs that login is restricted to. + description: |- + If set, defines a constraint on the + service principals that can perform the login operation that they should be possess + the ids specified by this field. + The list of Service Principal IDs that login is restricted to. items: type: string type: array boundSubscriptionIds: - description: If set, defines a constraint on the subscriptions - that can perform the login operation to ones which matches - the value specified by this field. The list of subscription - IDs that login is restricted to. + description: |- + If set, defines a constraint on the subscriptions + that can perform the login operation to ones which matches the value specified by this + field. + The list of subscription IDs that login is restricted to. items: type: string type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -351,45 +542,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -399,21 +555,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -423,17 +579,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -443,21 +601,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -472,21 +630,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -497,14 +656,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -520,10 +680,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: role is a required parameter + - message: spec.forProvider.role is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.role) - || has(self.initProvider.role)' + || (has(self.initProvider) && has(self.initProvider.role))' status: description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. properties: @@ -533,123 +693,141 @@ spec: description: Unique name of the auth backend to configure. type: string boundGroupIds: - description: If set, defines a constraint on the groups that can - perform the login operation that they should be using the group - ID specified by this field. The list of group ids that login - is restricted to. + description: |- + If set, defines a constraint on the groups + that can perform the login operation that they should be using the group + ID specified by this field. + The list of group ids that login is restricted to. items: type: string type: array boundLocations: - description: If set, defines a constraint on the virtual machines - that can perform the login operation that the location in their - identity document must match the one specified by this field. + description: |- + If set, defines a constraint on the virtual machines + that can perform the login operation that the location in their identity + document must match the one specified by this field. The list of locations that login is restricted to. items: type: string type: array boundResourceGroups: - description: If set, defines a constraint on the virtual machines - that can perform the login operation that they be associated - with the resource group that matches the value specified by - this field. The list of resource groups that login is restricted - to. + description: |- + If set, defines a constraint on the virtual + machines that can perform the login operation that they be associated with + the resource group that matches the value specified by this field. + The list of resource groups that login is restricted to. items: type: string type: array boundScaleSets: - description: If set, defines a constraint on the virtual machines - that can perform the login operation that they must match the - scale set specified by this field. The list of scale set names - that the login is restricted to. + description: |- + If set, defines a constraint on the virtual + machines that can perform the login operation that they must match the scale set + specified by this field. + The list of scale set names that the login is restricted to. items: type: string type: array boundServicePrincipalIds: - description: If set, defines a constraint on the service principals - that can perform the login operation that they should be possess - the ids specified by this field. The list of Service Principal - IDs that login is restricted to. + description: |- + If set, defines a constraint on the + service principals that can perform the login operation that they should be possess + the ids specified by this field. + The list of Service Principal IDs that login is restricted to. items: type: string type: array boundSubscriptionIds: - description: If set, defines a constraint on the subscriptions - that can perform the login operation to ones which matches - the value specified by this field. The list of subscription - IDs that login is restricted to. + description: |- + If set, defines a constraint on the subscriptions + that can perform the login operation to ones which matches the value specified by this + field. + The list of subscription IDs that login is restricted to. items: type: string type: array id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object conditions: @@ -658,14 +836,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -675,8 +862,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -685,6 +873,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/azure.vault.upbound.io_secretbackendroles.yaml b/package/crds/azure.vault.upbound.io_secretbackendroles.yaml index 744f2308..4e01b40d 100644 --- a/package/crds/azure.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/azure.vault.upbound.io_secretbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendroles.azure.vault.upbound.io spec: group: azure.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Creates an azure secret backend role for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,11 +74,10 @@ spec: forProvider: properties: applicationObjectId: - description: Application Object ID for an existing service principal - that will be used instead of creating dynamic service principals. - If present, azure_roles and permanently_delete will be ignored. - Application Object ID for an existing service principal that - will be used instead of creating dynamic service principals. + description: |- + Application Object ID for an existing service principal that will + be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored. + Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. type: string azureGroups: description: List of Azure groups to be assigned to the generated @@ -97,79 +102,152 @@ spec: type: object type: array backend: - description: Path to the mounted Azure auth backend Unique name - of the auth backend to configure. + description: |- + Path to the mounted Azure auth backend + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a SecretBackend in azure to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in azure to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object description: description: Human-friendly description of the mount for the backend. type: string maxTtl: - description: – Specifies the maximum TTL for service principals - generated using this role. Accepts time suffixed strings ("1h") - or an integer number of seconds. Defaults to the system/engine - max TTL time. Human-friendly description of the mount for the - backend. + description: |- + – Specifies the maximum TTL for service principals generated using this role. Accepts time + suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time. + Human-friendly description of the mount for the backend. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string permanentlyDelete: - description: Indicates whether the applications and service principals - created by Vault will be permanently deleted when the corresponding - leases expire. Defaults to false. For Vault v1.12+. Indicates - whether the applications and service principals created by Vault - will be permanently deleted when the corresponding leases expire. + description: |- + Indicates whether the applications and service principals created by Vault will be permanently + deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+. + Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. type: boolean role: - description: Name of the Azure role Name of the role to create + description: |- + Name of the Azure role + Name of the role to create type: string signInAudience: - description: 'Specifies the security principal types that are - allowed to sign in to the application. Valid values are: AzureADMyOrg, - AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. - Requires Vault 1.16+. Specifies the security principal types - that are allowed to sign in to the application. Valid values - are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, - PersonalMicrosoftAccount' + description: |- + Specifies the security principal types that are allowed to sign in to the application. + Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+. + Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount type: string tags: - description: '- A list of Azure tags to attach to an application. - Requires Vault 1.16+. Comma-separated strings of Azure tags - to attach to an application.' + description: |- + - A list of Azure tags to attach to an application. Requires Vault 1.16+. + Comma-separated strings of Azure tags to attach to an application. items: type: string type: array ttl: - description: – Specifies the default TTL for service principals - generated using this role. Accepts time suffixed strings ("1h") - or an integer number of seconds. Defaults to the system/engine - default TTL time. Human-friendly description of the mount for - the backend. + description: |- + – Specifies the default TTL for service principals generated using this role. + Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + Human-friendly description of the mount for the backend. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: applicationObjectId: - description: Application Object ID for an existing service principal - that will be used instead of creating dynamic service principals. - If present, azure_roles and permanently_delete will be ignored. - Application Object ID for an existing service principal that - will be used instead of creating dynamic service principals. + description: |- + Application Object ID for an existing service principal that will + be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored. + Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. type: string azureGroups: description: List of Azure groups to be assigned to the generated @@ -194,77 +272,152 @@ spec: type: object type: array backend: - description: Path to the mounted Azure auth backend Unique name - of the auth backend to configure. + description: |- + Path to the mounted Azure auth backend + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a SecretBackend in azure to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in azure to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object description: description: Human-friendly description of the mount for the backend. type: string maxTtl: - description: – Specifies the maximum TTL for service principals - generated using this role. Accepts time suffixed strings ("1h") - or an integer number of seconds. Defaults to the system/engine - max TTL time. Human-friendly description of the mount for the - backend. + description: |- + – Specifies the maximum TTL for service principals generated using this role. Accepts time + suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time. + Human-friendly description of the mount for the backend. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string permanentlyDelete: - description: Indicates whether the applications and service principals - created by Vault will be permanently deleted when the corresponding - leases expire. Defaults to false. For Vault v1.12+. Indicates - whether the applications and service principals created by Vault - will be permanently deleted when the corresponding leases expire. + description: |- + Indicates whether the applications and service principals created by Vault will be permanently + deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+. + Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. type: boolean role: - description: Name of the Azure role Name of the role to create + description: |- + Name of the Azure role + Name of the role to create type: string signInAudience: - description: 'Specifies the security principal types that are - allowed to sign in to the application. Valid values are: AzureADMyOrg, - AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. - Requires Vault 1.16+. Specifies the security principal types - that are allowed to sign in to the application. Valid values - are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, - PersonalMicrosoftAccount' + description: |- + Specifies the security principal types that are allowed to sign in to the application. + Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+. + Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount type: string tags: - description: '- A list of Azure tags to attach to an application. - Requires Vault 1.16+. Comma-separated strings of Azure tags - to attach to an application.' + description: |- + - A list of Azure tags to attach to an application. Requires Vault 1.16+. + Comma-separated strings of Azure tags to attach to an application. items: type: string type: array ttl: - description: – Specifies the default TTL for service principals - generated using this role. Accepts time suffixed strings ("1h") - or an integer number of seconds. Defaults to the system/engine - default TTL time. Human-friendly description of the mount for - the backend. + description: |- + – Specifies the default TTL for service principals generated using this role. + Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + Human-friendly description of the mount for the backend. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -277,9 +430,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -289,57 +443,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -349,17 +467,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -369,21 +489,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -398,21 +518,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -423,14 +544,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -446,21 +568,20 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: role is a required parameter + - message: spec.forProvider.role is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.role) - || has(self.initProvider.role)' + || (has(self.initProvider) && has(self.initProvider.role))' status: description: SecretBackendRoleStatus defines the observed state of SecretBackendRole. properties: atProvider: properties: applicationObjectId: - description: Application Object ID for an existing service principal - that will be used instead of creating dynamic service principals. - If present, azure_roles and permanently_delete will be ignored. - Application Object ID for an existing service principal that - will be used instead of creating dynamic service principals. + description: |- + Application Object ID for an existing service principal that will + be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored. + Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. type: string azureGroups: description: List of Azure groups to be assigned to the generated @@ -487,8 +608,9 @@ spec: type: object type: array backend: - description: Path to the mounted Azure auth backend Unique name - of the auth backend to configure. + description: |- + Path to the mounted Azure auth backend + Unique name of the auth backend to configure. type: string description: description: Human-friendly description of the mount for the backend. @@ -496,51 +618,48 @@ spec: id: type: string maxTtl: - description: – Specifies the maximum TTL for service principals - generated using this role. Accepts time suffixed strings ("1h") - or an integer number of seconds. Defaults to the system/engine - max TTL time. Human-friendly description of the mount for the - backend. + description: |- + – Specifies the maximum TTL for service principals generated using this role. Accepts time + suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time. + Human-friendly description of the mount for the backend. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string permanentlyDelete: - description: Indicates whether the applications and service principals - created by Vault will be permanently deleted when the corresponding - leases expire. Defaults to false. For Vault v1.12+. Indicates - whether the applications and service principals created by Vault - will be permanently deleted when the corresponding leases expire. + description: |- + Indicates whether the applications and service principals created by Vault will be permanently + deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+. + Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. type: boolean role: - description: Name of the Azure role Name of the role to create + description: |- + Name of the Azure role + Name of the role to create type: string signInAudience: - description: 'Specifies the security principal types that are - allowed to sign in to the application. Valid values are: AzureADMyOrg, - AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. - Requires Vault 1.16+. Specifies the security principal types - that are allowed to sign in to the application. Valid values - are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, - PersonalMicrosoftAccount' + description: |- + Specifies the security principal types that are allowed to sign in to the application. + Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+. + Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount type: string tags: - description: '- A list of Azure tags to attach to an application. - Requires Vault 1.16+. Comma-separated strings of Azure tags - to attach to an application.' + description: |- + - A list of Azure tags to attach to an application. Requires Vault 1.16+. + Comma-separated strings of Azure tags to attach to an application. items: type: string type: array ttl: - description: – Specifies the default TTL for service principals - generated using this role. Accepts time suffixed strings ("1h") - or an integer number of seconds. Defaults to the system/engine - default TTL time. Human-friendly description of the mount for - the backend. + description: |- + – Specifies the default TTL for service principals generated using this role. + Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + Human-friendly description of the mount for the backend. type: string type: object conditions: @@ -549,14 +668,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -566,8 +694,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -576,6 +705,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/azure.vault.upbound.io_secretbackends.yaml b/package/crds/azure.vault.upbound.io_secretbackends.yaml index 49fd0edb..55e0cd1c 100644 --- a/package/crds/azure.vault.upbound.io_secretbackends.yaml +++ b/package/crds/azure.vault.upbound.io_secretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackends.azure.vault.upbound.io spec: group: azure.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: an azure secret backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,9 +74,9 @@ spec: forProvider: properties: clientIdSecretRef: - description: The OAuth2 client id to connect to Azure. The client - id for credentials to query the Azure APIs. Currently read permissions - to query compute resources are required. + description: |- + The OAuth2 client id to connect to Azure. + The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. properties: key: description: The key to select. @@ -87,8 +93,9 @@ spec: - namespace type: object clientSecretSecretRef: - description: The OAuth2 client secret to connect to Azure. The - client secret for credentials to query the Azure APIs + description: |- + The OAuth2 client secret to connect to Azure. + The client secret for credentials to query the Azure APIs properties: key: description: The key to select. @@ -108,28 +115,50 @@ spec: description: Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean environment: - description: 'The Azure environment. The Azure cloud environment. - Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, - AzureGermanCloud.' + description: |- + The Azure environment. + The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. + type: string + identityTokenAudience: + description: |- + The audience claim value. Requires Vault 1.17+. + Available only for Vault Enterprise + The audience claim value. type: string + identityTokenKey: + description: |- + The key to use for signing identity tokens. Requires Vault 1.17+. + Available only for Vault Enterprise + The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: |- + The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + Available only for Vault Enterprise + The TTL of generated identity tokens in seconds. + type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Defaults to azure. Path to mount the backend at. + description: |- + The unique path this backend should be mounted at. Defaults to azure. + Path to mount the backend at. type: string subscriptionIdSecretRef: - description: The subscription id for the Azure Active Directory. + description: |- + The subscription id for the Azure Active Directory. The subscription id for the Azure Active Directory. properties: key: @@ -147,8 +176,9 @@ spec: - namespace type: object tenantIdSecretRef: - description: The tenant id for the Azure Active Directory. The - tenant id for the Azure Active Directory organization. + description: |- + The tenant id for the Azure Active Directory. + The tenant id for the Azure Active Directory organization. properties: key: description: The key to select. @@ -165,75 +195,176 @@ spec: - namespace type: object useMicrosoftGraphApi: - description: Indicates whether the secrets engine should use the - Microsoft Graph API. This parameter has been deprecated and - will be ignored in vault-1.12+. For more information, please - refer to the Vault docs Use the Microsoft Graph API. Should - be set to true on vault-1.10+ + description: |- + Indicates whether the secrets engine should use + the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+. + For more information, please refer to the Vault docs + Use the Microsoft Graph API. Should be set to true on vault-1.10+ type: boolean type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + clientIdSecretRef: + description: |- + The OAuth2 client id to connect to Azure. + The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + clientSecretSecretRef: + description: |- + The OAuth2 client secret to connect to Azure. + The client secret for credentials to query the Azure APIs + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object description: description: Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean environment: - description: 'The Azure environment. The Azure cloud environment. - Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, - AzureGermanCloud.' + description: |- + The Azure environment. + The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. + type: string + identityTokenAudience: + description: |- + The audience claim value. Requires Vault 1.17+. + Available only for Vault Enterprise + The audience claim value. type: string + identityTokenKey: + description: |- + The key to use for signing identity tokens. Requires Vault 1.17+. + Available only for Vault Enterprise + The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: |- + The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + Available only for Vault Enterprise + The TTL of generated identity tokens in seconds. + type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Defaults to azure. Path to mount the backend at. + description: |- + The unique path this backend should be mounted at. Defaults to azure. + Path to mount the backend at. type: string + subscriptionIdSecretRef: + description: |- + The subscription id for the Azure Active Directory. + The subscription id for the Azure Active Directory. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + tenantIdSecretRef: + description: |- + The tenant id for the Azure Active Directory. + The tenant id for the Azure Active Directory organization. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object useMicrosoftGraphApi: - description: Indicates whether the secrets engine should use the - Microsoft Graph API. This parameter has been deprecated and - will be ignored in vault-1.12+. For more information, please - refer to the Vault docs Use the Microsoft Graph API. Should - be set to true on vault-1.10+ + description: |- + Indicates whether the secrets engine should use + the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+. + For more information, please refer to the Vault docs + Use the Microsoft Graph API. Should be set to true on vault-1.10+ type: boolean + required: + - subscriptionIdSecretRef + - tenantIdSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -246,9 +377,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -258,57 +390,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -318,17 +414,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -338,21 +436,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -367,21 +465,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -392,14 +491,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -415,10 +515,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: subscriptionIdSecretRef is a required parameter + - message: spec.forProvider.subscriptionIdSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.subscriptionIdSecretRef)' - - message: tenantIdSecretRef is a required parameter + - message: spec.forProvider.tenantIdSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.tenantIdSecretRef)' status: @@ -430,34 +530,55 @@ spec: description: Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean environment: - description: 'The Azure environment. The Azure cloud environment. - Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, - AzureGermanCloud.' + description: |- + The Azure environment. + The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. type: string id: type: string + identityTokenAudience: + description: |- + The audience claim value. Requires Vault 1.17+. + Available only for Vault Enterprise + The audience claim value. + type: string + identityTokenKey: + description: |- + The key to use for signing identity tokens. Requires Vault 1.17+. + Available only for Vault Enterprise + The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: |- + The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + Available only for Vault Enterprise + The TTL of generated identity tokens in seconds. + type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Defaults to azure. Path to mount the backend at. + description: |- + The unique path this backend should be mounted at. Defaults to azure. + Path to mount the backend at. type: string useMicrosoftGraphApi: - description: Indicates whether the secrets engine should use the - Microsoft Graph API. This parameter has been deprecated and - will be ignored in vault-1.12+. For more information, please - refer to the Vault docs Use the Microsoft Graph API. Should - be set to true on vault-1.10+ + description: |- + Indicates whether the secrets engine should use + the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+. + For more information, please refer to the Vault docs + Use the Microsoft Graph API. Should be set to true on vault-1.10+ type: boolean type: object conditions: @@ -466,14 +587,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -483,8 +613,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -493,6 +624,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/cert.vault.upbound.io_authbackendroles.yaml b/package/crds/cert.vault.upbound.io_authbackendroles.yaml index 90933629..b7ad6126 100644 --- a/package/crds/cert.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/cert.vault.upbound.io_authbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroles.cert.vault.upbound.io spec: group: cert.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: value> properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -71,30 +77,32 @@ spec: items: type: string type: array + x-kubernetes-list-type: set allowedDnsSans: items: type: string type: array + x-kubernetes-list-type: set allowedEmailSans: items: type: string type: array + x-kubernetes-list-type: set allowedNames: items: type: string type: array - allowedOrganizationUnits: - items: - type: string - type: array + x-kubernetes-list-type: set allowedOrganizationalUnits: items: type: string type: array + x-kubernetes-list-type: set allowedUriSans: items: type: string type: array + x-kubernetes-list-type: set backend: type: string certificate: @@ -131,16 +139,19 @@ spec: items: type: string type: array + x-kubernetes-list-type: set requiredExtensions: items: type: string type: array + x-kubernetes-list-type: set tokenBoundCidrs: description: Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: description: Generated Token's Explicit Maximum TTL in seconds type: number @@ -163,6 +174,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenTtl: description: The initial ttl of the token to generate in seconds type: number @@ -171,46 +183,48 @@ spec: type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowedCommonNames: items: type: string type: array + x-kubernetes-list-type: set allowedDnsSans: items: type: string type: array + x-kubernetes-list-type: set allowedEmailSans: items: type: string type: array + x-kubernetes-list-type: set allowedNames: items: type: string type: array - allowedOrganizationUnits: - items: - type: string - type: array + x-kubernetes-list-type: set allowedOrganizationalUnits: items: type: string type: array + x-kubernetes-list-type: set allowedUriSans: items: type: string type: array + x-kubernetes-list-type: set backend: type: string certificate: @@ -247,16 +261,19 @@ spec: items: type: string type: array + x-kubernetes-list-type: set requiredExtensions: items: type: string type: array + x-kubernetes-list-type: set tokenBoundCidrs: description: Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: description: Generated Token's Explicit Maximum TTL in seconds type: number @@ -279,6 +296,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenTtl: description: The initial ttl of the token to generate in seconds type: number @@ -289,20 +307,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -315,45 +334,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -363,21 +347,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -387,17 +371,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -407,21 +393,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -436,21 +422,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -461,14 +448,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -484,14 +472,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: certificate is a required parameter + - message: spec.forProvider.certificate is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.certificate) - || has(self.initProvider.certificate)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.certificate))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. properties: @@ -501,30 +489,32 @@ spec: items: type: string type: array + x-kubernetes-list-type: set allowedDnsSans: items: type: string type: array + x-kubernetes-list-type: set allowedEmailSans: items: type: string type: array + x-kubernetes-list-type: set allowedNames: items: type: string type: array - allowedOrganizationUnits: - items: - type: string - type: array + x-kubernetes-list-type: set allowedOrganizationalUnits: items: type: string type: array + x-kubernetes-list-type: set allowedUriSans: items: type: string type: array + x-kubernetes-list-type: set backend: type: string certificate: @@ -563,16 +553,19 @@ spec: items: type: string type: array + x-kubernetes-list-type: set requiredExtensions: items: type: string type: array + x-kubernetes-list-type: set tokenBoundCidrs: description: Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: description: Generated Token's Explicit Maximum TTL in seconds type: number @@ -595,6 +588,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenTtl: description: The initial ttl of the token to generate in seconds type: number @@ -608,14 +602,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. - type: string + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -625,8 +628,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -635,6 +639,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/consul.vault.upbound.io_secretbackendroles.yaml b/package/crds/consul.vault.upbound.io_secretbackendroles.yaml index c0495c66..3c75d4f1 100644 --- a/package/crds/consul.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/consul.vault.upbound.io_secretbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendroles.consul.vault.upbound.io spec: group: consul.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Manages a Consul secrets role for a Consul secrets engine in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,221 +74,372 @@ spec: forProvider: properties: backend: - description: The unique name of an existing Consul secrets backend - mount. Must not begin or end with a /. One of path or backend - is required. The path of the Consul Secret Backend the role - belongs to. + description: |- + The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required. + The path of the Consul Secret Backend the role belongs to. type: string + backendRef: + description: Reference to a SecretBackend in consul to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in consul to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object consulNamespace: - description: The Consul namespace that the token will be created - in. Applicable for Vault 1.10+ and Consul 1.7+". The Consul - namespace that the token will be created in. Applicable for - Vault 1.10+ and Consul 1.7+ + description: |- + The Consul namespace that the token will be created in. + Applicable for Vault 1.10+ and Consul 1.7+". + The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+ type: string consulPolicies: - description: SEE NOTE The list of Consul ACL policies to associate - with these roles. List of Consul policies to associate with - this role + description: |- + SEE NOTE The list of Consul ACL policies to associate with these roles. + List of Consul policies to associate with this role items: type: string type: array + x-kubernetes-list-type: set consulRoles: - description: SEE NOTE Set of Consul roles to attach to the token. - Applicable for Vault 1.10+ with Consul 1.5+. Set of Consul roles - to attach to the token. Applicable for Vault 1.10+ with Consul - 1.5+ + description: |- + SEE NOTE Set of Consul roles to attach to the token. + Applicable for Vault 1.10+ with Consul 1.5+. + Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+ items: type: string type: array + x-kubernetes-list-type: set local: - description: Indicates that the token should not be replicated - globally and instead be local to the current datacenter. Indicates - that the token should not be replicated globally and instead - be local to the current datacenter. + description: |- + Indicates that the token should not be replicated globally and instead be local to the current datacenter. + Indicates that the token should not be replicated globally and instead be local to the current datacenter. type: boolean maxTtl: - description: Maximum TTL for leases associated with this role, - in seconds. Maximum TTL for leases associated with this role, - in seconds. + description: |- + Maximum TTL for leases associated with this role, in seconds. + Maximum TTL for leases associated with this role, in seconds. type: number name: - description: The name of the Consul secrets engine role to create. - The name of an existing role against which to create this Consul - credential + description: |- + The name of the Consul secrets engine role to create. + The name of an existing role against which to create this Consul credential type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string nodeIdentities: - description: SEE NOTE Set of Consul node identities to attach - to the token. Applicable for Vault 1.11+ with Consul 1.8+. Set - of Consul node identities to attach to the token. Applicable - for Vault 1.11+ with Consul 1.8+ + description: |- + SEE NOTE Set of Consul node + identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+. + Set of Consul node identities to attach to + the token. Applicable for Vault 1.11+ with Consul 1.8+ items: type: string type: array + x-kubernetes-list-type: set partition: - description: The admin partition that the token will be created - in. Applicable for Vault 1.10+ and Consul 1.11+". The Consul - admin partition that the token will be created in. Applicable - for Vault 1.10+ and Consul 1.11+ + description: |- + The admin partition that the token will be created in. + Applicable for Vault 1.10+ and Consul 1.11+". + The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+ type: string policies: - description: 'The list of Consul ACL policies to associate with - these roles. NOTE: The new parameter consul_policies should - be used in favor of this. This parameter, policies, remains - supported for legacy users, but Vault has deprecated this field. - List of Consul policies to associate with this role' + description: |- + The list of Consul ACL policies to associate with these roles. + NOTE: The new parameter consul_policies should be used in favor of this. This parameter, + policies, remains supported for legacy users, but Vault has deprecated this field. + List of Consul policies to associate with this role items: type: string type: array serviceIdentities: - description: SEE NOTE Set of Consul service identities to attach - to the token. Applicable for Vault 1.11+ with Consul 1.5+. Set - of Consul service identities to attach to the token. Applicable - for Vault 1.11+ with Consul 1.5+ + description: |- + SEE NOTE Set of Consul + service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+. + Set of Consul service identities to attach to + the token. Applicable for Vault 1.11+ with Consul 1.5+ items: type: string type: array - tokenType: - description: 'Specifies the type of token to create when using - this role. Valid values are "client" or "management". Deprecated: - Consul 1.11 and later removed the legacy ACL system which supported - this field. Specifies the type of token to create when using - this role. Valid values are "client" or "management".' - type: string + x-kubernetes-list-type: set ttl: - description: Specifies the TTL for this role. Specifies the TTL - for this role. + description: |- + Specifies the TTL for this role. + Specifies the TTL for this role. type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The unique name of an existing Consul secrets backend - mount. Must not begin or end with a /. One of path or backend - is required. The path of the Consul Secret Backend the role - belongs to. + description: |- + The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required. + The path of the Consul Secret Backend the role belongs to. type: string + backendRef: + description: Reference to a SecretBackend in consul to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in consul to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object consulNamespace: - description: The Consul namespace that the token will be created - in. Applicable for Vault 1.10+ and Consul 1.7+". The Consul - namespace that the token will be created in. Applicable for - Vault 1.10+ and Consul 1.7+ + description: |- + The Consul namespace that the token will be created in. + Applicable for Vault 1.10+ and Consul 1.7+". + The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+ type: string consulPolicies: - description: SEE NOTE The list of Consul ACL policies to associate - with these roles. List of Consul policies to associate with - this role + description: |- + SEE NOTE The list of Consul ACL policies to associate with these roles. + List of Consul policies to associate with this role items: type: string type: array + x-kubernetes-list-type: set consulRoles: - description: SEE NOTE Set of Consul roles to attach to the token. - Applicable for Vault 1.10+ with Consul 1.5+. Set of Consul roles - to attach to the token. Applicable for Vault 1.10+ with Consul - 1.5+ + description: |- + SEE NOTE Set of Consul roles to attach to the token. + Applicable for Vault 1.10+ with Consul 1.5+. + Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+ items: type: string type: array + x-kubernetes-list-type: set local: - description: Indicates that the token should not be replicated - globally and instead be local to the current datacenter. Indicates - that the token should not be replicated globally and instead - be local to the current datacenter. + description: |- + Indicates that the token should not be replicated globally and instead be local to the current datacenter. + Indicates that the token should not be replicated globally and instead be local to the current datacenter. type: boolean maxTtl: - description: Maximum TTL for leases associated with this role, - in seconds. Maximum TTL for leases associated with this role, - in seconds. + description: |- + Maximum TTL for leases associated with this role, in seconds. + Maximum TTL for leases associated with this role, in seconds. type: number name: - description: The name of the Consul secrets engine role to create. - The name of an existing role against which to create this Consul - credential + description: |- + The name of the Consul secrets engine role to create. + The name of an existing role against which to create this Consul credential type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string nodeIdentities: - description: SEE NOTE Set of Consul node identities to attach - to the token. Applicable for Vault 1.11+ with Consul 1.8+. Set - of Consul node identities to attach to the token. Applicable - for Vault 1.11+ with Consul 1.8+ + description: |- + SEE NOTE Set of Consul node + identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+. + Set of Consul node identities to attach to + the token. Applicable for Vault 1.11+ with Consul 1.8+ items: type: string type: array + x-kubernetes-list-type: set partition: - description: The admin partition that the token will be created - in. Applicable for Vault 1.10+ and Consul 1.11+". The Consul - admin partition that the token will be created in. Applicable - for Vault 1.10+ and Consul 1.11+ + description: |- + The admin partition that the token will be created in. + Applicable for Vault 1.10+ and Consul 1.11+". + The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+ type: string policies: - description: 'The list of Consul ACL policies to associate with - these roles. NOTE: The new parameter consul_policies should - be used in favor of this. This parameter, policies, remains - supported for legacy users, but Vault has deprecated this field. - List of Consul policies to associate with this role' + description: |- + The list of Consul ACL policies to associate with these roles. + NOTE: The new parameter consul_policies should be used in favor of this. This parameter, + policies, remains supported for legacy users, but Vault has deprecated this field. + List of Consul policies to associate with this role items: type: string type: array serviceIdentities: - description: SEE NOTE Set of Consul service identities to attach - to the token. Applicable for Vault 1.11+ with Consul 1.5+. Set - of Consul service identities to attach to the token. Applicable - for Vault 1.11+ with Consul 1.5+ + description: |- + SEE NOTE Set of Consul + service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+. + Set of Consul service identities to attach to + the token. Applicable for Vault 1.11+ with Consul 1.5+ items: type: string type: array - tokenType: - description: 'Specifies the type of token to create when using - this role. Valid values are "client" or "management". Deprecated: - Consul 1.11 and later removed the legacy ACL system which supported - this field. Specifies the type of token to create when using - this role. Valid values are "client" or "management".' - type: string + x-kubernetes-list-type: set ttl: - description: Specifies the TTL for this role. Specifies the TTL - for this role. + description: |- + Specifies the TTL for this role. + Specifies the TTL for this role. type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -295,45 +452,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -343,21 +465,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -367,17 +489,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -387,21 +511,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -416,21 +540,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -441,14 +566,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -464,108 +590,107 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: SecretBackendRoleStatus defines the observed state of SecretBackendRole. properties: atProvider: properties: backend: - description: The unique name of an existing Consul secrets backend - mount. Must not begin or end with a /. One of path or backend - is required. The path of the Consul Secret Backend the role - belongs to. + description: |- + The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required. + The path of the Consul Secret Backend the role belongs to. type: string consulNamespace: - description: The Consul namespace that the token will be created - in. Applicable for Vault 1.10+ and Consul 1.7+". The Consul - namespace that the token will be created in. Applicable for - Vault 1.10+ and Consul 1.7+ + description: |- + The Consul namespace that the token will be created in. + Applicable for Vault 1.10+ and Consul 1.7+". + The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+ type: string consulPolicies: - description: SEE NOTE The list of Consul ACL policies to associate - with these roles. List of Consul policies to associate with - this role + description: |- + SEE NOTE The list of Consul ACL policies to associate with these roles. + List of Consul policies to associate with this role items: type: string type: array + x-kubernetes-list-type: set consulRoles: - description: SEE NOTE Set of Consul roles to attach to the token. - Applicable for Vault 1.10+ with Consul 1.5+. Set of Consul roles - to attach to the token. Applicable for Vault 1.10+ with Consul - 1.5+ + description: |- + SEE NOTE Set of Consul roles to attach to the token. + Applicable for Vault 1.10+ with Consul 1.5+. + Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+ items: type: string type: array + x-kubernetes-list-type: set id: type: string local: - description: Indicates that the token should not be replicated - globally and instead be local to the current datacenter. Indicates - that the token should not be replicated globally and instead - be local to the current datacenter. + description: |- + Indicates that the token should not be replicated globally and instead be local to the current datacenter. + Indicates that the token should not be replicated globally and instead be local to the current datacenter. type: boolean maxTtl: - description: Maximum TTL for leases associated with this role, - in seconds. Maximum TTL for leases associated with this role, - in seconds. + description: |- + Maximum TTL for leases associated with this role, in seconds. + Maximum TTL for leases associated with this role, in seconds. type: number name: - description: The name of the Consul secrets engine role to create. - The name of an existing role against which to create this Consul - credential + description: |- + The name of the Consul secrets engine role to create. + The name of an existing role against which to create this Consul credential type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string nodeIdentities: - description: SEE NOTE Set of Consul node identities to attach - to the token. Applicable for Vault 1.11+ with Consul 1.8+. Set - of Consul node identities to attach to the token. Applicable - for Vault 1.11+ with Consul 1.8+ + description: |- + SEE NOTE Set of Consul node + identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+. + Set of Consul node identities to attach to + the token. Applicable for Vault 1.11+ with Consul 1.8+ items: type: string type: array + x-kubernetes-list-type: set partition: - description: The admin partition that the token will be created - in. Applicable for Vault 1.10+ and Consul 1.11+". The Consul - admin partition that the token will be created in. Applicable - for Vault 1.10+ and Consul 1.11+ + description: |- + The admin partition that the token will be created in. + Applicable for Vault 1.10+ and Consul 1.11+". + The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+ type: string policies: - description: 'The list of Consul ACL policies to associate with - these roles. NOTE: The new parameter consul_policies should - be used in favor of this. This parameter, policies, remains - supported for legacy users, but Vault has deprecated this field. - List of Consul policies to associate with this role' + description: |- + The list of Consul ACL policies to associate with these roles. + NOTE: The new parameter consul_policies should be used in favor of this. This parameter, + policies, remains supported for legacy users, but Vault has deprecated this field. + List of Consul policies to associate with this role items: type: string type: array serviceIdentities: - description: SEE NOTE Set of Consul service identities to attach - to the token. Applicable for Vault 1.11+ with Consul 1.5+. Set - of Consul service identities to attach to the token. Applicable - for Vault 1.11+ with Consul 1.5+ + description: |- + SEE NOTE Set of Consul + service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+. + Set of Consul service identities to attach to + the token. Applicable for Vault 1.11+ with Consul 1.5+ items: type: string type: array - tokenType: - description: 'Specifies the type of token to create when using - this role. Valid values are "client" or "management". Deprecated: - Consul 1.11 and later removed the legacy ACL system which supported - this field. Specifies the type of token to create when using - this role. Valid values are "client" or "management".' - type: string + x-kubernetes-list-type: set ttl: - description: Specifies the TTL for this role. Specifies the TTL - for this role. + description: |- + Specifies the TTL for this role. + Specifies the TTL for this role. type: number type: object conditions: @@ -574,14 +699,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -591,8 +725,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -601,6 +736,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/consul.vault.upbound.io_secretbackends.yaml b/package/crds/consul.vault.upbound.io_secretbackends.yaml index 7f547f53..155b0fe5 100644 --- a/package/crds/consul.vault.upbound.io_secretbackends.yaml +++ b/package/crds/consul.vault.upbound.io_secretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackends.consul.vault.upbound.io spec: group: consul.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: a Consul secret backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,27 +74,25 @@ spec: forProvider: properties: address: - description: Specifies the address of the Consul instance, provided - as "host:port" like "127.0.0.1:8500". Specifies the address - of the Consul instance, provided as "host:port" like "127.0.0.1:8500". + description: |- + Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". + Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". type: string bootstrap: - description: Denotes that the resource is used to bootstrap the - Consul ACL system. Denotes a backend resource that is used to - bootstrap the Consul ACL system. Only one resource may be used - to bootstrap. + description: |- + Denotes that the resource is used to bootstrap the Consul ACL system. + Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap. type: boolean caCert: - description: CA certificate to use when verifying Consul server - certificate, must be x509 PEM encoded. CA certificate to use - when verifying Consul server certificate, must be x509 PEM encoded. + description: |- + CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. + CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. type: string clientCertSecretRef: - description: Client certificate used for Consul's TLS communication, - must be x509 PEM encoded and if this is set you need to also - set client_key. Client certificate used for Consul's TLS communication, - must be x509 PEM encoded and if this is set you need to also - set client_key. + description: |- + Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if + this is set you need to also set client_key. + Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key. properties: key: description: The key to select. @@ -105,11 +109,10 @@ spec: - namespace type: object clientKeySecretRef: - description: Client key used for Consul's TLS communication, must - be x509 PEM encoded and if this is set you need to also set - client_cert. Client key used for Consul's TLS communication, - must be x509 PEM encoded and if this is set you need to also - set client_cert. + description: |- + Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set + you need to also set client_cert. + Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. properties: key: description: The key to select. @@ -126,48 +129,56 @@ spec: - namespace type: object defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean local: - description: Specifies if the secret backend is local only. Specifies - if the secret backend is local only + description: |- + Specifies if the secret backend is local only. + Specifies if the secret backend is local only type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique location this backend should be mounted - at. Must not begin or end with a /. Defaults to consul. Unique - name of the Vault Consul mount to configure + description: |- + The unique location this backend should be mounted at. Must not begin or end with a /. Defaults + to consul. + Unique name of the Vault Consul mount to configure type: string scheme: - description: Specifies the URL scheme to use. Defaults to http. + description: |- + Specifies the URL scheme to use. Defaults to http. Specifies the URL scheme to use. Defaults to "http". type: string tokenSecretRef: - description: The Consul management token this backend should use - to issue new tokens. This field is required when bootstrap is - false. Specifies the Consul token to use when managing or issuing - new tokens. + description: |- + The Consul management token this backend should use to issue new tokens. This field is required + when bootstrap is false. + Specifies the Consul token to use when managing or issuing new tokens. properties: key: description: The key to select. @@ -185,90 +196,158 @@ spec: type: object type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: address: - description: Specifies the address of the Consul instance, provided - as "host:port" like "127.0.0.1:8500". Specifies the address - of the Consul instance, provided as "host:port" like "127.0.0.1:8500". + description: |- + Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". + Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". type: string bootstrap: - description: Denotes that the resource is used to bootstrap the - Consul ACL system. Denotes a backend resource that is used to - bootstrap the Consul ACL system. Only one resource may be used - to bootstrap. + description: |- + Denotes that the resource is used to bootstrap the Consul ACL system. + Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap. type: boolean caCert: - description: CA certificate to use when verifying Consul server - certificate, must be x509 PEM encoded. CA certificate to use - when verifying Consul server certificate, must be x509 PEM encoded. + description: |- + CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. + CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. type: string + clientCertSecretRef: + description: |- + Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if + this is set you need to also set client_key. + Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + clientKeySecretRef: + description: |- + Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set + you need to also set client_cert. + Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean local: - description: Specifies if the secret backend is local only. Specifies - if the secret backend is local only + description: |- + Specifies if the secret backend is local only. + Specifies if the secret backend is local only type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique location this backend should be mounted - at. Must not begin or end with a /. Defaults to consul. Unique - name of the Vault Consul mount to configure + description: |- + The unique location this backend should be mounted at. Must not begin or end with a /. Defaults + to consul. + Unique name of the Vault Consul mount to configure type: string scheme: - description: Specifies the URL scheme to use. Defaults to http. + description: |- + Specifies the URL scheme to use. Defaults to http. Specifies the URL scheme to use. Defaults to "http". type: string + tokenSecretRef: + description: |- + The Consul management token this backend should use to issue new tokens. This field is required + when bootstrap is false. + Specifies the Consul token to use when managing or issuing new tokens. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -281,45 +360,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -329,21 +373,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -353,17 +397,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -373,21 +419,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -402,21 +448,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -427,14 +474,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -450,69 +498,76 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: address is a required parameter + - message: spec.forProvider.address is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.address) - || has(self.initProvider.address)' + || (has(self.initProvider) && has(self.initProvider.address))' status: description: SecretBackendStatus defines the observed state of SecretBackend. properties: atProvider: properties: address: - description: Specifies the address of the Consul instance, provided - as "host:port" like "127.0.0.1:8500". Specifies the address - of the Consul instance, provided as "host:port" like "127.0.0.1:8500". + description: |- + Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". + Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". type: string bootstrap: - description: Denotes that the resource is used to bootstrap the - Consul ACL system. Denotes a backend resource that is used to - bootstrap the Consul ACL system. Only one resource may be used - to bootstrap. + description: |- + Denotes that the resource is used to bootstrap the Consul ACL system. + Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap. type: boolean caCert: - description: CA certificate to use when verifying Consul server - certificate, must be x509 PEM encoded. CA certificate to use - when verifying Consul server certificate, must be x509 PEM encoded. + description: |- + CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. + CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. type: string defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean id: type: string local: - description: Specifies if the secret backend is local only. Specifies - if the secret backend is local only + description: |- + Specifies if the secret backend is local only. + Specifies if the secret backend is local only type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique location this backend should be mounted - at. Must not begin or end with a /. Defaults to consul. Unique - name of the Vault Consul mount to configure + description: |- + The unique location this backend should be mounted at. Must not begin or end with a /. Defaults + to consul. + Unique name of the Vault Consul mount to configure type: string scheme: - description: Specifies the URL scheme to use. Defaults to http. + description: |- + Specifies the URL scheme to use. Defaults to http. Specifies the URL scheme to use. Defaults to "http". type: string type: object @@ -522,14 +577,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -539,8 +603,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -549,6 +614,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/database.vault.upbound.io_secretbackendconnections.yaml b/package/crds/database.vault.upbound.io_secretbackendconnections.yaml index 92085066..0a137b2e 100644 --- a/package/crds/database.vault.upbound.io_secretbackendconnections.yaml +++ b/package/crds/database.vault.upbound.io_secretbackendconnections.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendconnections.database.vault.upbound.io spec: group: database.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Configures a database secret backend connection for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,13 +60,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -69,40 +75,121 @@ spec: forProvider: properties: allowedRoles: - description: A list of roles that are allowed to use this connection. + description: |- + A list of roles that are allowed to use this + connection. A list of roles that are allowed to use this connection. items: type: string type: array backend: - description: The unique name of the Vault mount to configure. + description: |- + The unique name of the Vault mount to configure. Unique name of the Vault mount to configure. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object cassandra: - description: A nested block containing configuration options for - Cassandra connections. Connection parameters for the cassandra-database-plugin - plugin. + description: |- + A nested block containing configuration options for Cassandra connections. + Connection parameters for the cassandra-database-plugin plugin. items: properties: connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number hosts: - description: The hosts to connect to. Cassandra hosts to - connect to. + description: |- + The hosts to connect to. + Cassandra hosts to connect to. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean passwordSecretRef: - description: The password to authenticate with. The password - to use when authenticating with Cassandra. + description: |- + The password to authenticate with. + The password to use when authenticating with Cassandra. properties: key: description: The key to select. @@ -119,10 +206,10 @@ spec: - namespace type: object pemBundleSecretRef: - description: Concatenated PEM blocks configuring the certificate - chain. Concatenated PEM blocks containing a certificate - and private key; a certificate, private key, and issuing - CA certificate; or just a CA certificate. + description: |- + Concatenated PEM blocks configuring the certificate + chain. + Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. properties: key: description: The key to select. @@ -139,10 +226,9 @@ spec: - namespace type: object pemJsonSecretRef: - description: A JSON structure configuring the certificate - chain. Specifies JSON containing a certificate and private - key; a certificate, private key, and issuing CA certificate; - or just a CA certificate. + description: |- + A JSON structure configuring the certificate chain. + Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. properties: key: description: The key to select. @@ -159,36 +245,38 @@ spec: - namespace type: object port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Cassandra. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Cassandra. type: number protocolVersion: - description: The CQL protocol version to use. The CQL protocol - version to use. + description: |- + The CQL protocol version to use. + The CQL protocol version to use. type: number tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. type: boolean username: - description: The username to authenticate with. The username - to use when authenticating with Cassandra. + description: |- + The username to authenticate with. + The username to use when authenticating with Cassandra. type: string type: object type: array couchbase: - description: A nested block containing configuration options for - Couchbase connections. Connection parameters for the couchbase-database-plugin - plugin. + description: |- + A nested block containing configuration options for Couchbase connections. + Connection parameters for the couchbase-database-plugin plugin. items: properties: base64PemSecretRef: - description: Required if tls is true. Specifies the certificate - authority of the Couchbase server, as a PEM certificate - that has been base64 encoded. Required if `tls` is `true`. - Specifies the certificate authority of the Couchbase server, - as a PEM certificate that has been base64 encoded. + description: |- + Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. properties: key: description: The key to select. @@ -205,27 +293,27 @@ spec: - namespace type: object bucketName: - description: Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. + description: |- + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. type: string hosts: - description: The hosts to connect to. A set of Couchbase - URIs to connect to. Must use `couchbases://` scheme if - `tls` is `true`. + description: |- + The hosts to connect to. + A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean passwordSecretRef: - description: The password to authenticate with. Specifies - the password corresponding to the given username. + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. properties: key: description: The key to select. @@ -242,64 +330,65 @@ spec: - namespace type: object tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string - required: - - passwordSecretRef type: object type: array data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular elasticsearch: - description: A nested block containing configuration options for - Elasticsearch connections. Connection parameters for the elasticsearch-database-plugin. + description: |- + A nested block containing configuration options for Elasticsearch connections. + Connection parameters for the elasticsearch-database-plugin. items: properties: caCert: - description: The contents of a PEM-encoded CA cert file - to use to verify the Redis server's identity. The path - to a PEM-encoded CA cert file to use to verify the Elasticsearch - server's identity + description: |- + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity type: string caPath: - description: The path to a directory of PEM-encoded CA cert - files to use to verify the Elasticsearch server's identity. - The path to a directory of PEM-encoded CA cert files to - use to verify the Elasticsearch server's identity + description: |- + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity type: string clientCert: - description: The path to the certificate for the Elasticsearch - client to present for communication. The path to the certificate - for the Elasticsearch client to present for communication + description: |- + The path to the certificate for the Elasticsearch client to present for communication. + The path to the certificate for the Elasticsearch client to present for communication type: string clientKey: - description: The path to the key for the Elasticsearch client - to use for communication. The path to the key for the - Elasticsearch client to use for communication + description: |- + The path to the key for the Elasticsearch client to use for communication. + The path to the key for the Elasticsearch client to use for communication type: string insecure: - description: Whether to disable certificate verification. + description: |- + Whether to disable certificate verification. Whether to disable certificate verification type: boolean passwordSecretRef: - description: The password to authenticate with. The password - to be used in the connection URL + description: |- + The password to authenticate with. + The password to be used in the connection URL properties: key: description: The key to select. @@ -316,60 +405,68 @@ spec: - namespace type: object tlsServerName: - description: This, if set, is used to set the SNI host when - connecting via TLS. This, if set, is used to set the SNI - host when connecting via TLS + description: |- + This, if set, is used to set the SNI host when connecting via TLS. + This, if set, is used to set the SNI host when connecting via TLS type: string url: - description: The url to connect to including the port; e.g. - master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. + description: |- + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. The URL for Elasticsearch's API type: string username: - description: The username to authenticate with. The username - to be used in the connection URL + description: |- + The username to authenticate with. + The username to be used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string - required: - - passwordSecretRef type: object type: array hana: - description: A nested block containing configuration options for - SAP HanaDB connections. Connection parameters for the hana-database-plugin - plugin. + description: |- + A nested block containing configuration options for SAP HanaDB connections. + Connection parameters for the hana-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -386,34 +483,39 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string type: object type: array influxdb: - description: A nested block containing configuration options for - InfluxDB connections. Connection parameters for the influxdb-database-plugin - plugin. + description: |- + A nested block containing configuration options for InfluxDB connections. + Connection parameters for the influxdb-database-plugin plugin. items: properties: connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number host: - description: The host to connect to. Influxdb host to connect - to. + description: |- + The host to connect to. + Influxdb host to connect to. type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean passwordSecretRef: - description: The password to authenticate with. Specifies - the password corresponding to the given username. + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. properties: key: description: The key to select. @@ -430,10 +532,10 @@ spec: - namespace type: object pemBundleSecretRef: - description: Concatenated PEM blocks configuring the certificate - chain. Concatenated PEM blocks containing a certificate - and private key; a certificate, private key, and issuing - CA certificate; or just a CA certificate. + description: |- + Concatenated PEM blocks configuring the certificate + chain. + Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. properties: key: description: The key to select. @@ -450,10 +552,9 @@ spec: - namespace type: object pemJsonSecretRef: - description: A JSON structure configuring the certificate - chain. Specifies JSON containing a certificate and private - key; a certificate, private key, and issuing CA certificate; - or just a CA certificate. + description: |- + A JSON structure configuring the certificate chain. + Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. properties: key: description: The key to select. @@ -470,54 +571,64 @@ spec: - namespace type: object port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Influxdb. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Influxdb. type: number tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. type: boolean username: - description: The username to authenticate with. Specifies - the username to use for superuser access. + description: |- + The username to authenticate with. + Specifies the username to use for superuser access. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string - required: - - passwordSecretRef type: object type: array mongodb: - description: A nested block containing configuration options for - MongoDB connections. Connection parameters for the mongodb-database-plugin - plugin. + description: |- + A nested block containing configuration options for MongoDB connections. + Connection parameters for the mongodb-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -534,25 +645,27 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mongodbatlas: - description: A nested block containing configuration options for - MongoDB Atlas connections. Connection parameters for the mongodbatlas-database-plugin - plugin. + description: |- + A nested block containing configuration options for MongoDB Atlas connections. + Connection parameters for the mongodbatlas-database-plugin plugin. items: properties: privateKeySecretRef: - description: The Private Programmatic API Key used to connect - with MongoDB Atlas API. The Private Programmatic API Key - used to connect with MongoDB Atlas API. + description: |- + The Private Programmatic API Key used to connect with MongoDB Atlas API. + The Private Programmatic API Key used to connect with MongoDB Atlas API. properties: key: description: The key to select. @@ -569,57 +682,66 @@ spec: - namespace type: object projectId: - description: The Project ID the Database User should be - created within. The Project ID the Database User should - be created within. + description: |- + The Project ID the Database User should be created within. + The Project ID the Database User should be created within. type: string publicKey: - description: The Public Programmatic API Key used to authenticate - with the MongoDB Atlas API. The Public Programmatic API - Key used to authenticate with the MongoDB Atlas API. + description: |- + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. type: string - required: - - privateKeySecretRef type: object type: array mssql: - description: A nested block containing configuration options for - MSSQL connections. Connection parameters for the mssql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MSSQL connections. + Connection parameters for the mssql-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string containedDb: - description: For Vault v1.9+. Set to true when the target - is a Contained Database, e.g. AzureSQL. See the Vault - docs Set to true when the target is a Contained Database, - e.g. AzureSQL. + description: |- + For Vault v1.9+. Set to true when the target is a + Contained Database, e.g. AzureSQL. + See the Vault + docs + Set to true when the target is a Contained Database, e.g. AzureSQL. type: boolean disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -636,47 +758,58 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysql: - description: A nested block containing configuration options for - MySQL connections. Connection parameters for the mysql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MySQL connections. + Connection parameters for the mysql-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -693,9 +826,9 @@ spec: - namespace type: object serviceAccountJsonSecretRef: - description: JSON encoding of an IAM access key. Requires - auth_type to be gcp_iam. A JSON encoded credential for - use with IAM authorization + description: |- + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + A JSON encoded credential for use with IAM authorization properties: key: description: The key to select. @@ -712,17 +845,14 @@ spec: - namespace type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string tlsCertificateKeySecretRef: - description: x509 certificate for connecting to the database. - This must be a PEM encoded version of the private key - and the certificate combined. x509 certificate for connecting - to the database. This must be a PEM encoded version of - the private key and the certificate combined. + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. properties: key: description: The key to select. @@ -739,47 +869,58 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysqlAurora: - description: A nested block containing configuration options for - Aurora MySQL connections. Connection parameters for the mysql-aurora-database-plugin - plugin. + description: |- + A nested block containing configuration options for Aurora MySQL connections. + Connection parameters for the mysql-aurora-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -796,9 +937,9 @@ spec: - namespace type: object serviceAccountJsonSecretRef: - description: JSON encoding of an IAM access key. Requires - auth_type to be gcp_iam. A JSON encoded credential for - use with IAM authorization + description: |- + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + A JSON encoded credential for use with IAM authorization properties: key: description: The key to select. @@ -815,17 +956,14 @@ spec: - namespace type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string tlsCertificateKeySecretRef: - description: x509 certificate for connecting to the database. - This must be a PEM encoded version of the private key - and the certificate combined. x509 certificate for connecting - to the database. This must be a PEM encoded version of - the private key and the certificate combined. + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. properties: key: description: The key to select. @@ -842,47 +980,58 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysqlLegacy: - description: A nested block containing configuration options for - legacy MySQL connections. Connection parameters for the mysql-legacy-database-plugin - plugin. + description: |- + A nested block containing configuration options for legacy MySQL connections. + Connection parameters for the mysql-legacy-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -899,9 +1048,9 @@ spec: - namespace type: object serviceAccountJsonSecretRef: - description: JSON encoding of an IAM access key. Requires - auth_type to be gcp_iam. A JSON encoded credential for - use with IAM authorization + description: |- + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + A JSON encoded credential for use with IAM authorization properties: key: description: The key to select. @@ -918,17 +1067,14 @@ spec: - namespace type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string tlsCertificateKeySecretRef: - description: x509 certificate for connecting to the database. - This must be a PEM encoded version of the private key - and the certificate combined. x509 certificate for connecting - to the database. This must be a PEM encoded version of - the private key and the certificate combined. + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. properties: key: description: The key to select. @@ -945,47 +1091,58 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysqlRds: - description: A nested block containing configuration options for - RDS MySQL connections. Connection parameters for the mysql-rds-database-plugin - plugin. + description: |- + A nested block containing configuration options for RDS MySQL connections. + Connection parameters for the mysql-rds-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1002,9 +1159,9 @@ spec: - namespace type: object serviceAccountJsonSecretRef: - description: JSON encoding of an IAM access key. Requires - auth_type to be gcp_iam. A JSON encoded credential for - use with IAM authorization + description: |- + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + A JSON encoded credential for use with IAM authorization properties: key: description: The key to select. @@ -1021,17 +1178,14 @@ spec: - namespace type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string tlsCertificateKeySecretRef: - description: x509 certificate for connecting to the database. - This must be a PEM encoded version of the private key - and the certificate combined. x509 certificate for connecting - to the database. This must be a PEM encoded version of - the private key and the certificate combined. + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. properties: key: description: The key to select. @@ -1048,58 +1202,71 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array name: - description: A unique name to give the database connection. Name - of the database connection. + description: |- + A unique name to give the database connection. + Name of the database connection. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string oracle: - description: A nested block containing configuration options for - Oracle connections. Connection parameters for the oracle-database-plugin - plugin. + description: |- + A nested block containing configuration options for Oracle connections. + Connection parameters for the oracle-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disconnectSessions: - description: Enable the built-in session disconnect mechanism. - Set to true to disconnect any open sessions prior to running - the revocation statements. + description: |- + Enable the built-in session disconnect mechanism. + Set to true to disconnect any open sessions prior to running the revocation statements. type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1116,61 +1283,73 @@ spec: - namespace type: object splitStatements: - description: Enable spliting statements after semi-colons. + description: |- + Enable spliting statements after semi-colons. Set to true in order to split statements after semi-colons. type: boolean username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must be prefixed - with the name of one of the supported database engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string postgresql: - description: A nested block containing configuration options for - PostgreSQL connections. Connection parameters for the postgresql-database-plugin - plugin. + description: |- + A nested block containing configuration options for PostgreSQL connections. + Connection parameters for the postgresql-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1187,9 +1366,9 @@ spec: - namespace type: object serviceAccountJsonSecretRef: - description: JSON encoding of an IAM access key. Requires - auth_type to be gcp_iam. A JSON encoded credential for - use with IAM authorization + description: |- + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + A JSON encoded credential for use with IAM authorization properties: key: description: The key to select. @@ -1206,39 +1385,43 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array redis: - description: A nested block containing configuration options for - Redis connections. Connection parameters for the redis-database-plugin - plugin. + description: |- + A nested block containing configuration options for Redis connections. + Connection parameters for the redis-database-plugin plugin. items: properties: caCert: - description: The contents of a PEM-encoded CA cert file - to use to verify the Redis server's identity. The contents - of a PEM-encoded CA cert file to use to verify the Redis - server's identity. + description: |- + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. type: string host: - description: The host to connect to. Specifies the host - to connect to + description: |- + The host to connect to. + Specifies the host to connect to type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean passwordSecretRef: - description: The password to authenticate with. Specifies - the password corresponding to the given username. + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. properties: key: description: The key to select. @@ -1255,32 +1438,33 @@ spec: - namespace type: object port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Redis. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Redis. type: number tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string - required: - - passwordSecretRef type: object type: array redisElasticache: - description: A nested block containing configuration options for - Redis ElastiCache connections. Connection parameters for the - redis-elasticache-database-plugin plugin. + description: |- + A nested block containing configuration options for Redis ElastiCache connections. + Connection parameters for the redis-elasticache-database-plugin plugin. items: properties: passwordSecretRef: - description: The password to authenticate with. The AWS - secret key id to use to talk to ElastiCache. If omitted - the credentials chain provider is used instead. + description: |- + The password to authenticate with. + The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. properties: key: description: The key to select. @@ -1297,22 +1481,19 @@ spec: - namespace type: object region: - description: The region where the ElastiCache cluster is - hosted. If omitted Vault tries to infer from the environment - instead. The AWS region where the ElastiCache cluster - is hosted. If omitted the plugin tries to infer the region - from the environment. + description: |- + The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead. + The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. type: string url: - description: The url to connect to including the port; e.g. - master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. - The configuration endpoint for the ElastiCache cluster - to connect to. + description: |- + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. + The configuration endpoint for the ElastiCache cluster to connect to. type: string usernameSecretRef: - description: The username to authenticate with. The AWS - access key id to use to talk to ElastiCache. If omitted - the credentials chain provider is used instead. + description: |- + The username to authenticate with. + The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. properties: key: description: The key to select. @@ -1336,31 +1517,40 @@ spec: items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1377,49 +1567,60 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array rootRotationStatements: - description: A list of database statements to be executed to rotate - the root user's credentials. A list of database statements to - be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array snowflake: - description: A nested block containing configuration options for - Snowflake connections. Connection parameters for the snowflake-database-plugin - plugin. + description: |- + A nested block containing configuration options for Snowflake connections. + Connection parameters for the snowflake-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1436,695 +1637,1482 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array verifyConnection: - description: Whether the connection should be verified on initial - configuration or not. Specifies if the connection is verified - during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowedRoles: - description: A list of roles that are allowed to use this connection. + description: |- + A list of roles that are allowed to use this + connection. A list of roles that are allowed to use this connection. items: type: string type: array backend: - description: The unique name of the Vault mount to configure. + description: |- + The unique name of the Vault mount to configure. Unique name of the Vault mount to configure. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object cassandra: - description: A nested block containing configuration options for - Cassandra connections. Connection parameters for the cassandra-database-plugin - plugin. + description: |- + A nested block containing configuration options for Cassandra connections. + Connection parameters for the cassandra-database-plugin plugin. items: properties: connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number hosts: - description: The hosts to connect to. Cassandra hosts to - connect to. + description: |- + The hosts to connect to. + Cassandra hosts to connect to. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean + passwordSecretRef: + description: |- + The password to authenticate with. + The password to use when authenticating with Cassandra. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + pemBundleSecretRef: + description: |- + Concatenated PEM blocks configuring the certificate + chain. + Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + pemJsonSecretRef: + description: |- + A JSON structure configuring the certificate chain. + Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Cassandra. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Cassandra. type: number protocolVersion: - description: The CQL protocol version to use. The CQL protocol - version to use. + description: |- + The CQL protocol version to use. + The CQL protocol version to use. type: number tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. type: boolean username: - description: The username to authenticate with. The username - to use when authenticating with Cassandra. + description: |- + The username to authenticate with. + The username to use when authenticating with Cassandra. type: string type: object type: array couchbase: - description: A nested block containing configuration options for - Couchbase connections. Connection parameters for the couchbase-database-plugin - plugin. + description: |- + A nested block containing configuration options for Couchbase connections. + Connection parameters for the couchbase-database-plugin plugin. items: properties: + base64PemSecretRef: + description: |- + Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object bucketName: - description: Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. + description: |- + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. type: string hosts: - description: The hosts to connect to. A set of Couchbase - URIs to connect to. Must use `couchbases://` scheme if - `tls` is `true`. + description: |- + The hosts to connect to. + A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean + passwordSecretRef: + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string + required: + - passwordSecretRef type: object type: array data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular elasticsearch: - description: A nested block containing configuration options for - Elasticsearch connections. Connection parameters for the elasticsearch-database-plugin. + description: |- + A nested block containing configuration options for Elasticsearch connections. + Connection parameters for the elasticsearch-database-plugin. items: properties: caCert: - description: The contents of a PEM-encoded CA cert file - to use to verify the Redis server's identity. The path - to a PEM-encoded CA cert file to use to verify the Elasticsearch - server's identity + description: |- + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity type: string caPath: - description: The path to a directory of PEM-encoded CA cert - files to use to verify the Elasticsearch server's identity. - The path to a directory of PEM-encoded CA cert files to - use to verify the Elasticsearch server's identity + description: |- + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity type: string clientCert: - description: The path to the certificate for the Elasticsearch - client to present for communication. The path to the certificate - for the Elasticsearch client to present for communication + description: |- + The path to the certificate for the Elasticsearch client to present for communication. + The path to the certificate for the Elasticsearch client to present for communication type: string clientKey: - description: The path to the key for the Elasticsearch client - to use for communication. The path to the key for the - Elasticsearch client to use for communication + description: |- + The path to the key for the Elasticsearch client to use for communication. + The path to the key for the Elasticsearch client to use for communication type: string insecure: - description: Whether to disable certificate verification. + description: |- + Whether to disable certificate verification. Whether to disable certificate verification type: boolean + passwordSecretRef: + description: |- + The password to authenticate with. + The password to be used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsServerName: - description: This, if set, is used to set the SNI host when - connecting via TLS. This, if set, is used to set the SNI - host when connecting via TLS + description: |- + This, if set, is used to set the SNI host when connecting via TLS. + This, if set, is used to set the SNI host when connecting via TLS type: string url: - description: The url to connect to including the port; e.g. - master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. + description: |- + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. The URL for Elasticsearch's API type: string username: - description: The username to authenticate with. The username - to be used in the connection URL + description: |- + The username to authenticate with. + The username to be used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string + required: + - passwordSecretRef type: object type: array hana: - description: A nested block containing configuration options for - SAP HanaDB connections. Connection parameters for the hana-database-plugin - plugin. + description: |- + A nested block containing configuration options for SAP HanaDB connections. + Connection parameters for the hana-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string type: object type: array influxdb: - description: A nested block containing configuration options for - InfluxDB connections. Connection parameters for the influxdb-database-plugin - plugin. + description: |- + A nested block containing configuration options for InfluxDB connections. + Connection parameters for the influxdb-database-plugin plugin. items: properties: connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number host: - description: The host to connect to. Influxdb host to connect - to. + description: |- + The host to connect to. + Influxdb host to connect to. type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. - type: boolean - port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Influxdb. - type: number - tls: - description: Whether to use TLS when connecting to Cassandra. - Whether to use TLS when connecting to Influxdb. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean - username: - description: The username to authenticate with. Specifies - the username to use for superuser access. - type: string - usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. - type: string - type: object - type: array - mongodb: - description: A nested block containing configuration options for - MongoDB connections. Connection parameters for the mongodb-database-plugin - plugin. - items: - properties: - connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. - type: string + passwordSecretRef: + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + pemBundleSecretRef: + description: |- + Concatenated PEM blocks configuring the certificate + chain. + Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + pemJsonSecretRef: + description: |- + A JSON structure configuring the certificate chain. + Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + port: + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Influxdb. + type: number + tls: + description: |- + Whether to use TLS when connecting to Cassandra. + Whether to use TLS when connecting to Influxdb. + type: boolean + username: + description: |- + The username to authenticate with. + Specifies the username to use for superuser access. + type: string + usernameTemplate: + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. + type: string + required: + - passwordSecretRef + type: object + type: array + mongodb: + description: |- + A nested block containing configuration options for MongoDB connections. + Connection parameters for the mongodb-database-plugin plugin. + items: + properties: + connectionUrl: + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. + type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mongodbatlas: - description: A nested block containing configuration options for - MongoDB Atlas connections. Connection parameters for the mongodbatlas-database-plugin - plugin. + description: |- + A nested block containing configuration options for MongoDB Atlas connections. + Connection parameters for the mongodbatlas-database-plugin plugin. items: properties: + privateKeySecretRef: + description: |- + The Private Programmatic API Key used to connect with MongoDB Atlas API. + The Private Programmatic API Key used to connect with MongoDB Atlas API. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object projectId: - description: The Project ID the Database User should be - created within. The Project ID the Database User should - be created within. + description: |- + The Project ID the Database User should be created within. + The Project ID the Database User should be created within. type: string publicKey: - description: The Public Programmatic API Key used to authenticate - with the MongoDB Atlas API. The Public Programmatic API - Key used to authenticate with the MongoDB Atlas API. + description: |- + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. type: string + required: + - privateKeySecretRef type: object type: array mssql: - description: A nested block containing configuration options for - MSSQL connections. Connection parameters for the mssql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MSSQL connections. + Connection parameters for the mssql-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string containedDb: - description: For Vault v1.9+. Set to true when the target - is a Contained Database, e.g. AzureSQL. See the Vault - docs Set to true when the target is a Contained Database, - e.g. AzureSQL. + description: |- + For Vault v1.9+. Set to true when the target is a + Contained Database, e.g. AzureSQL. + See the Vault + docs + Set to true when the target is a Contained Database, e.g. AzureSQL. type: boolean disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysql: - description: A nested block containing configuration options for - MySQL connections. Connection parameters for the mysql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MySQL connections. + Connection parameters for the mysql-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + serviceAccountJsonSecretRef: + description: |- + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + A JSON encoded credential for use with IAM authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string + tlsCertificateKeySecretRef: + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysqlAurora: - description: A nested block containing configuration options for - Aurora MySQL connections. Connection parameters for the mysql-aurora-database-plugin - plugin. + description: |- + A nested block containing configuration options for Aurora MySQL connections. + Connection parameters for the mysql-aurora-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + serviceAccountJsonSecretRef: + description: |- + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + A JSON encoded credential for use with IAM authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string + tlsCertificateKeySecretRef: + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysqlLegacy: - description: A nested block containing configuration options for - legacy MySQL connections. Connection parameters for the mysql-legacy-database-plugin - plugin. + description: |- + A nested block containing configuration options for legacy MySQL connections. + Connection parameters for the mysql-legacy-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + serviceAccountJsonSecretRef: + description: |- + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + A JSON encoded credential for use with IAM authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string + tlsCertificateKeySecretRef: + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysqlRds: - description: A nested block containing configuration options for - RDS MySQL connections. Connection parameters for the mysql-rds-database-plugin - plugin. + description: |- + A nested block containing configuration options for RDS MySQL connections. + Connection parameters for the mysql-rds-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + serviceAccountJsonSecretRef: + description: |- + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + A JSON encoded credential for use with IAM authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string + tlsCertificateKeySecretRef: + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array name: - description: A unique name to give the database connection. Name - of the database connection. + description: |- + A unique name to give the database connection. + Name of the database connection. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string oracle: - description: A nested block containing configuration options for - Oracle connections. Connection parameters for the oracle-database-plugin - plugin. + description: |- + A nested block containing configuration options for Oracle connections. + Connection parameters for the oracle-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disconnectSessions: - description: Enable the built-in session disconnect mechanism. - Set to true to disconnect any open sessions prior to running - the revocation statements. + description: |- + Enable the built-in session disconnect mechanism. + Set to true to disconnect any open sessions prior to running the revocation statements. type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object splitStatements: - description: Enable spliting statements after semi-colons. + description: |- + Enable spliting statements after semi-colons. Set to true in order to split statements after semi-colons. type: boolean username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must be prefixed - with the name of one of the supported database engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string postgresql: - description: A nested block containing configuration options for - PostgreSQL connections. Connection parameters for the postgresql-database-plugin - plugin. + description: |- + A nested block containing configuration options for PostgreSQL connections. + Connection parameters for the postgresql-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + serviceAccountJsonSecretRef: + description: |- + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + A JSON encoded credential for use with IAM authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array redis: - description: A nested block containing configuration options for - Redis connections. Connection parameters for the redis-database-plugin - plugin. + description: |- + A nested block containing configuration options for Redis connections. + Connection parameters for the redis-database-plugin plugin. items: properties: caCert: - description: The contents of a PEM-encoded CA cert file - to use to verify the Redis server's identity. The contents - of a PEM-encoded CA cert file to use to verify the Redis - server's identity. + description: |- + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. type: string host: - description: The host to connect to. Specifies the host - to connect to + description: |- + The host to connect to. + Specifies the host to connect to type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean + passwordSecretRef: + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Redis. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Redis. type: number tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string + required: + - passwordSecretRef type: object type: array redisElasticache: - description: A nested block containing configuration options for - Redis ElastiCache connections. Connection parameters for the - redis-elasticache-database-plugin plugin. + description: |- + A nested block containing configuration options for Redis ElastiCache connections. + Connection parameters for the redis-elasticache-database-plugin plugin. items: properties: + passwordSecretRef: + description: |- + The password to authenticate with. + The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object region: - description: The region where the ElastiCache cluster is - hosted. If omitted Vault tries to infer from the environment - instead. The AWS region where the ElastiCache cluster - is hosted. If omitted the plugin tries to infer the region - from the environment. + description: |- + The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead. + The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. type: string url: - description: The url to connect to including the port; e.g. - master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. - The configuration endpoint for the ElastiCache cluster - to connect to. + description: |- + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. + The configuration endpoint for the ElastiCache cluster to connect to. type: string + usernameSecretRef: + description: |- + The username to authenticate with. + The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object type: object type: array redshift: @@ -2133,102 +3121,162 @@ spec: items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array rootRotationStatements: - description: A list of database statements to be executed to rotate - the root user's credentials. A list of database statements to - be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array snowflake: - description: A nested block containing configuration options for - Snowflake connections. Connection parameters for the snowflake-database-plugin - plugin. + description: |- + A nested block containing configuration options for Snowflake connections. + Connection parameters for the snowflake-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array verifyConnection: - description: Whether the connection should be verified on initial - configuration or not. Specifies if the connection is verified - during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -2241,9 +3289,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -2253,57 +3302,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -2313,17 +3326,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -2333,21 +3348,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -2362,21 +3377,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -2387,14 +3403,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -2410,14 +3427,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: SecretBackendConnectionStatus defines the observed state of SecretBackendConnection. @@ -2425,667 +3438,776 @@ spec: atProvider: properties: allowedRoles: - description: A list of roles that are allowed to use this connection. + description: |- + A list of roles that are allowed to use this + connection. A list of roles that are allowed to use this connection. items: type: string type: array backend: - description: The unique name of the Vault mount to configure. + description: |- + The unique name of the Vault mount to configure. Unique name of the Vault mount to configure. type: string cassandra: - description: A nested block containing configuration options for - Cassandra connections. Connection parameters for the cassandra-database-plugin - plugin. + description: |- + A nested block containing configuration options for Cassandra connections. + Connection parameters for the cassandra-database-plugin plugin. items: properties: connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number hosts: - description: The hosts to connect to. Cassandra hosts to - connect to. + description: |- + The hosts to connect to. + Cassandra hosts to connect to. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Cassandra. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Cassandra. type: number protocolVersion: - description: The CQL protocol version to use. The CQL protocol - version to use. + description: |- + The CQL protocol version to use. + The CQL protocol version to use. type: number tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. type: boolean username: - description: The username to authenticate with. The username - to use when authenticating with Cassandra. + description: |- + The username to authenticate with. + The username to use when authenticating with Cassandra. type: string type: object type: array couchbase: - description: A nested block containing configuration options for - Couchbase connections. Connection parameters for the couchbase-database-plugin - plugin. + description: |- + A nested block containing configuration options for Couchbase connections. + Connection parameters for the couchbase-database-plugin plugin. items: properties: bucketName: - description: Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. + description: |- + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. type: string hosts: - description: The hosts to connect to. A set of Couchbase - URIs to connect to. Must use `couchbases://` scheme if - `tls` is `true`. + description: |- + The hosts to connect to. + A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string type: object type: array data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular elasticsearch: - description: A nested block containing configuration options for - Elasticsearch connections. Connection parameters for the elasticsearch-database-plugin. + description: |- + A nested block containing configuration options for Elasticsearch connections. + Connection parameters for the elasticsearch-database-plugin. items: properties: caCert: - description: The contents of a PEM-encoded CA cert file - to use to verify the Redis server's identity. The path - to a PEM-encoded CA cert file to use to verify the Elasticsearch - server's identity + description: |- + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity type: string caPath: - description: The path to a directory of PEM-encoded CA cert - files to use to verify the Elasticsearch server's identity. - The path to a directory of PEM-encoded CA cert files to - use to verify the Elasticsearch server's identity + description: |- + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity type: string clientCert: - description: The path to the certificate for the Elasticsearch - client to present for communication. The path to the certificate - for the Elasticsearch client to present for communication + description: |- + The path to the certificate for the Elasticsearch client to present for communication. + The path to the certificate for the Elasticsearch client to present for communication type: string clientKey: - description: The path to the key for the Elasticsearch client - to use for communication. The path to the key for the - Elasticsearch client to use for communication + description: |- + The path to the key for the Elasticsearch client to use for communication. + The path to the key for the Elasticsearch client to use for communication type: string insecure: - description: Whether to disable certificate verification. + description: |- + Whether to disable certificate verification. Whether to disable certificate verification type: boolean tlsServerName: - description: This, if set, is used to set the SNI host when - connecting via TLS. This, if set, is used to set the SNI - host when connecting via TLS + description: |- + This, if set, is used to set the SNI host when connecting via TLS. + This, if set, is used to set the SNI host when connecting via TLS type: string url: - description: The url to connect to including the port; e.g. - master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. + description: |- + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. The URL for Elasticsearch's API type: string username: - description: The username to authenticate with. The username - to be used in the connection URL + description: |- + The username to authenticate with. + The username to be used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string type: object type: array hana: - description: A nested block containing configuration options for - SAP HanaDB connections. Connection parameters for the hana-database-plugin - plugin. + description: |- + A nested block containing configuration options for SAP HanaDB connections. + Connection parameters for the hana-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string type: object type: array id: type: string influxdb: - description: A nested block containing configuration options for - InfluxDB connections. Connection parameters for the influxdb-database-plugin - plugin. + description: |- + A nested block containing configuration options for InfluxDB connections. + Connection parameters for the influxdb-database-plugin plugin. items: properties: connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number host: - description: The host to connect to. Influxdb host to connect - to. + description: |- + The host to connect to. + Influxdb host to connect to. type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Influxdb. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Influxdb. type: number tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. type: boolean username: - description: The username to authenticate with. Specifies - the username to use for superuser access. + description: |- + The username to authenticate with. + Specifies the username to use for superuser access. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string type: object type: array mongodb: - description: A nested block containing configuration options for - MongoDB connections. Connection parameters for the mongodb-database-plugin - plugin. + description: |- + A nested block containing configuration options for MongoDB connections. + Connection parameters for the mongodb-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mongodbatlas: - description: A nested block containing configuration options for - MongoDB Atlas connections. Connection parameters for the mongodbatlas-database-plugin - plugin. + description: |- + A nested block containing configuration options for MongoDB Atlas connections. + Connection parameters for the mongodbatlas-database-plugin plugin. items: properties: projectId: - description: The Project ID the Database User should be - created within. The Project ID the Database User should - be created within. + description: |- + The Project ID the Database User should be created within. + The Project ID the Database User should be created within. type: string publicKey: - description: The Public Programmatic API Key used to authenticate - with the MongoDB Atlas API. The Public Programmatic API - Key used to authenticate with the MongoDB Atlas API. + description: |- + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. type: string type: object type: array mssql: - description: A nested block containing configuration options for - MSSQL connections. Connection parameters for the mssql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MSSQL connections. + Connection parameters for the mssql-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string containedDb: - description: For Vault v1.9+. Set to true when the target - is a Contained Database, e.g. AzureSQL. See the Vault - docs Set to true when the target is a Contained Database, - e.g. AzureSQL. + description: |- + For Vault v1.9+. Set to true when the target is a + Contained Database, e.g. AzureSQL. + See the Vault + docs + Set to true when the target is a Contained Database, e.g. AzureSQL. type: boolean disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysql: - description: A nested block containing configuration options for - MySQL connections. Connection parameters for the mysql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MySQL connections. + Connection parameters for the mysql-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysqlAurora: - description: A nested block containing configuration options for - Aurora MySQL connections. Connection parameters for the mysql-aurora-database-plugin - plugin. + description: |- + A nested block containing configuration options for Aurora MySQL connections. + Connection parameters for the mysql-aurora-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysqlLegacy: - description: A nested block containing configuration options for - legacy MySQL connections. Connection parameters for the mysql-legacy-database-plugin - plugin. + description: |- + A nested block containing configuration options for legacy MySQL connections. + Connection parameters for the mysql-legacy-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array mysqlRds: - description: A nested block containing configuration options for - RDS MySQL connections. Connection parameters for the mysql-rds-database-plugin - plugin. + description: |- + A nested block containing configuration options for RDS MySQL connections. + Connection parameters for the mysql-rds-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array name: - description: A unique name to give the database connection. Name - of the database connection. + description: |- + A unique name to give the database connection. + Name of the database connection. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string oracle: - description: A nested block containing configuration options for - Oracle connections. Connection parameters for the oracle-database-plugin - plugin. + description: |- + A nested block containing configuration options for Oracle connections. + Connection parameters for the oracle-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disconnectSessions: - description: Enable the built-in session disconnect mechanism. - Set to true to disconnect any open sessions prior to running - the revocation statements. + description: |- + Enable the built-in session disconnect mechanism. + Set to true to disconnect any open sessions prior to running the revocation statements. type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number splitStatements: - description: Enable spliting statements after semi-colons. + description: |- + Enable spliting statements after semi-colons. Set to true in order to split statements after semi-colons. type: boolean username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must be prefixed - with the name of one of the supported database engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string postgresql: - description: A nested block containing configuration options for - PostgreSQL connections. Connection parameters for the postgresql-database-plugin - plugin. + description: |- + A nested block containing configuration options for PostgreSQL connections. + Connection parameters for the postgresql-database-plugin plugin. items: properties: authType: - description: Enable IAM authentication to a Google Cloud - instance when set to gcp_iam Specify alternative authorization - type. (Only 'gcp_iam' is valid currently) + description: |- + Enable IAM authentication to a Google Cloud instance when set to gcp_iam + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array redis: - description: A nested block containing configuration options for - Redis connections. Connection parameters for the redis-database-plugin - plugin. + description: |- + A nested block containing configuration options for Redis connections. + Connection parameters for the redis-database-plugin plugin. items: properties: caCert: - description: The contents of a PEM-encoded CA cert file - to use to verify the Redis server's identity. The contents - of a PEM-encoded CA cert file to use to verify the Redis - server's identity. + description: |- + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. type: string host: - description: The host to connect to. Specifies the host - to connect to + description: |- + The host to connect to. + Specifies the host to connect to type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Redis. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Redis. type: number tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string type: object type: array redisElasticache: - description: A nested block containing configuration options for - Redis ElastiCache connections. Connection parameters for the - redis-elasticache-database-plugin plugin. + description: |- + A nested block containing configuration options for Redis ElastiCache connections. + Connection parameters for the redis-elasticache-database-plugin plugin. items: properties: region: - description: The region where the ElastiCache cluster is - hosted. If omitted Vault tries to infer from the environment - instead. The AWS region where the ElastiCache cluster - is hosted. If omitted the plugin tries to infer the region - from the environment. + description: |- + The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead. + The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. type: string url: - description: The url to connect to including the port; e.g. - master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. - The configuration endpoint for the ElastiCache cluster - to connect to. + description: |- + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. + The configuration endpoint for the ElastiCache cluster to connect to. type: string type: object type: array @@ -3095,83 +4217,104 @@ spec: items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array rootRotationStatements: - description: A list of database statements to be executed to rotate - the root user's credentials. A list of database statements to - be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array snowflake: - description: A nested block containing configuration options for - Snowflake connections. Connection parameters for the snowflake-database-plugin - plugin. + description: |- + A nested block containing configuration options for Snowflake connections. + Connection parameters for the snowflake-database-plugin plugin. items: properties: connectionUrl: - description: A URL containing connection information. See - the Vault docs for an example. Connection string to use - to connect to the database. + description: |- + A URL containing connection information. See + the Vault + docs + for an example. + Connection string to use to connect to the database. type: string maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string type: object type: array verifyConnection: - description: Whether the connection should be verified on initial - configuration or not. Specifies if the connection is verified - during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object conditions: @@ -3180,14 +4323,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -3197,8 +4349,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -3207,6 +4360,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/database.vault.upbound.io_secretbackendroles.yaml b/package/crds/database.vault.upbound.io_secretbackendroles.yaml index c0823eaf..066b7489 100644 --- a/package/crds/database.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/database.vault.upbound.io_secretbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendroles.database.vault.upbound.io spec: group: database.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Configures a database secret backend role for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,148 +74,484 @@ spec: forProvider: properties: backend: - description: The unique name of the Vault mount to configure. + description: |- + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object creationStatements: - description: The database statements to execute when creating - a user. Database statements to execute to create and configure - a user. + description: |- + The database statements to execute when + creating a user. + Database statements to execute to create and configure a user. items: type: string type: array credentialConfig: additionalProperties: type: string - description: – Specifies the configuration for the given credential_type. + description: |- + – Specifies the configuration + for the given credential_type. Specifies the configuration for the given credential_type. type: object + x-kubernetes-map-type: granular credentialType: - description: '– Specifies the type of credential that will be - generated for the role. Options include: password, rsa_private_key, - client_certificate. See the plugin''s API page for credential - types supported by individual databases. Specifies the type - of credential that will be generated for the role.' + description: |- + – Specifies the type of credential that + will be generated for the role. Options include: password, rsa_private_key, client_certificate. + See the plugin's API page for credential types supported by individual databases. + Specifies the type of credential that will be generated for the role. type: string dbName: - description: The unique name of the database connection to use - for the role. Database connection to use for this role. + description: |- + The unique name of the database connection to use for + the role. + Database connection to use for this role. type: string + dbNameRef: + description: Reference to a SecretBackendConnection in database + to populate dbName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbNameSelector: + description: Selector for a SecretBackendConnection in database + to populate dbName. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object defaultTtl: - description: The default number of seconds for leases for this - role. Default TTL for leases associated with this role, in seconds. + description: |- + The default number of seconds for leases for this + role. + Default TTL for leases associated with this role, in seconds. type: number maxTtl: - description: The maximum number of seconds for leases for this - role. Maximum TTL for leases associated with this role, in seconds. + description: |- + The maximum number of seconds for leases for this + role. + Maximum TTL for leases associated with this role, in seconds. type: number name: - description: A unique name to give the role. Unique name for the - role. + description: |- + A unique name to give the role. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string renewStatements: - description: The database statements to execute when renewing - a user. Database statements to execute to renew a user. + description: |- + The database statements to execute when + renewing a user. + Database statements to execute to renew a user. items: type: string type: array revocationStatements: - description: The database statements to execute when revoking - a user. Database statements to execute to revoke a user. + description: |- + The database statements to execute when + revoking a user. + Database statements to execute to revoke a user. items: type: string type: array rollbackStatements: - description: The database statements to execute when rolling back - creation due to an error. Database statements to execute to - rollback a create operation in the event of an error. + description: |- + The database statements to execute when + rolling back creation due to an error. + Database statements to execute to rollback a create operation in the event of an error. items: type: string type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The unique name of the Vault mount to configure. + description: |- + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object creationStatements: - description: The database statements to execute when creating - a user. Database statements to execute to create and configure - a user. + description: |- + The database statements to execute when + creating a user. + Database statements to execute to create and configure a user. items: type: string type: array credentialConfig: additionalProperties: type: string - description: – Specifies the configuration for the given credential_type. + description: |- + – Specifies the configuration + for the given credential_type. Specifies the configuration for the given credential_type. type: object + x-kubernetes-map-type: granular credentialType: - description: '– Specifies the type of credential that will be - generated for the role. Options include: password, rsa_private_key, - client_certificate. See the plugin''s API page for credential - types supported by individual databases. Specifies the type - of credential that will be generated for the role.' + description: |- + – Specifies the type of credential that + will be generated for the role. Options include: password, rsa_private_key, client_certificate. + See the plugin's API page for credential types supported by individual databases. + Specifies the type of credential that will be generated for the role. type: string dbName: - description: The unique name of the database connection to use - for the role. Database connection to use for this role. + description: |- + The unique name of the database connection to use for + the role. + Database connection to use for this role. type: string + dbNameRef: + description: Reference to a SecretBackendConnection in database + to populate dbName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbNameSelector: + description: Selector for a SecretBackendConnection in database + to populate dbName. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object defaultTtl: - description: The default number of seconds for leases for this - role. Default TTL for leases associated with this role, in seconds. + description: |- + The default number of seconds for leases for this + role. + Default TTL for leases associated with this role, in seconds. type: number maxTtl: - description: The maximum number of seconds for leases for this - role. Maximum TTL for leases associated with this role, in seconds. + description: |- + The maximum number of seconds for leases for this + role. + Maximum TTL for leases associated with this role, in seconds. type: number name: - description: A unique name to give the role. Unique name for the - role. + description: |- + A unique name to give the role. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string renewStatements: - description: The database statements to execute when renewing - a user. Database statements to execute to renew a user. + description: |- + The database statements to execute when + renewing a user. + Database statements to execute to renew a user. items: type: string type: array revocationStatements: - description: The database statements to execute when revoking - a user. Database statements to execute to revoke a user. + description: |- + The database statements to execute when + revoking a user. + Database statements to execute to revoke a user. items: type: string type: array rollbackStatements: - description: The database statements to execute when rolling back - creation due to an error. Database statements to execute to - rollback a create operation in the event of an error. + description: |- + The database statements to execute when + rolling back creation due to an error. + Database statements to execute to rollback a create operation in the event of an error. items: type: string type: array @@ -217,20 +559,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -243,45 +586,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -291,21 +599,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -315,17 +623,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -335,21 +645,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -364,21 +674,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -389,14 +700,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -412,92 +724,102 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: creationStatements is a required parameter + - message: spec.forProvider.creationStatements is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.creationStatements) - || has(self.initProvider.creationStatements)' - - message: dbName is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.dbName) - || has(self.initProvider.dbName)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.creationStatements))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: SecretBackendRoleStatus defines the observed state of SecretBackendRole. properties: atProvider: properties: backend: - description: The unique name of the Vault mount to configure. + description: |- + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. type: string creationStatements: - description: The database statements to execute when creating - a user. Database statements to execute to create and configure - a user. + description: |- + The database statements to execute when + creating a user. + Database statements to execute to create and configure a user. items: type: string type: array credentialConfig: additionalProperties: type: string - description: – Specifies the configuration for the given credential_type. + description: |- + – Specifies the configuration + for the given credential_type. Specifies the configuration for the given credential_type. type: object + x-kubernetes-map-type: granular credentialType: - description: '– Specifies the type of credential that will be - generated for the role. Options include: password, rsa_private_key, - client_certificate. See the plugin''s API page for credential - types supported by individual databases. Specifies the type - of credential that will be generated for the role.' + description: |- + – Specifies the type of credential that + will be generated for the role. Options include: password, rsa_private_key, client_certificate. + See the plugin's API page for credential types supported by individual databases. + Specifies the type of credential that will be generated for the role. type: string dbName: - description: The unique name of the database connection to use - for the role. Database connection to use for this role. + description: |- + The unique name of the database connection to use for + the role. + Database connection to use for this role. type: string defaultTtl: - description: The default number of seconds for leases for this - role. Default TTL for leases associated with this role, in seconds. + description: |- + The default number of seconds for leases for this + role. + Default TTL for leases associated with this role, in seconds. type: number id: type: string maxTtl: - description: The maximum number of seconds for leases for this - role. Maximum TTL for leases associated with this role, in seconds. + description: |- + The maximum number of seconds for leases for this + role. + Maximum TTL for leases associated with this role, in seconds. type: number name: - description: A unique name to give the role. Unique name for the - role. + description: |- + A unique name to give the role. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string renewStatements: - description: The database statements to execute when renewing - a user. Database statements to execute to renew a user. + description: |- + The database statements to execute when + renewing a user. + Database statements to execute to renew a user. items: type: string type: array revocationStatements: - description: The database statements to execute when revoking - a user. Database statements to execute to revoke a user. + description: |- + The database statements to execute when + revoking a user. + Database statements to execute to revoke a user. items: type: string type: array rollbackStatements: - description: The database statements to execute when rolling back - creation due to an error. Database statements to execute to - rollback a create operation in the event of an error. + description: |- + The database statements to execute when + rolling back creation due to an error. + Database statements to execute to rollback a create operation in the event of an error. items: type: string type: array @@ -508,14 +830,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -525,8 +856,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -535,6 +867,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml b/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml index 6ee62efc..c824be60 100644 --- a/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml +++ b/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendstaticroles.database.vault.upbound.io spec: group: database.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Configures a database secret backend static role for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,13 +60,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -69,133 +75,444 @@ spec: forProvider: properties: backend: - description: The unique name of the Vault mount to configure. + description: |- + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object dbName: - description: The unique name of the database connection to use - for the static role. Database connection to use for this role. + description: |- + The unique name of the database connection to use for the static role. + Database connection to use for this role. type: string + dbNameRef: + description: Reference to a SecretBackendConnection in database + to populate dbName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbNameSelector: + description: Selector for a SecretBackendConnection in database + to populate dbName. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: A unique name to give the static role. Unique name - for the static role. + description: |- + A unique name to give the static role. + Unique name for the static role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string rotationPeriod: - description: The amount of time Vault should wait before rotating - the password, in seconds. Mutually exclusive with rotation_schedule. - The amount of time Vault should wait before rotating the password, - in seconds. + description: |- + The amount of time Vault should wait before rotating the password, in seconds. + Mutually exclusive with rotation_schedule. + The amount of time Vault should wait before rotating the password, in seconds. type: number rotationSchedule: - description: A cron-style string that will define the schedule - on which rotations should occur. Mutually exclusive with rotation_period. - A cron-style string that will define the schedule on which rotations - should occur. + description: |- + A cron-style string that will define the schedule on which rotations should occur. + Mutually exclusive with rotation_period. + A cron-style string that will define the schedule on which rotations should occur. type: string rotationStatements: - description: Database statements to execute to rotate the password - for the configured database user. Database statements to execute - to rotate the password for the configured database user. + description: |- + Database statements to execute to rotate the password for the configured database user. + Database statements to execute to rotate the password for the configured database user. items: type: string type: array rotationWindow: - description: The amount of time, in seconds, in which rotations - are allowed to occur starting from a given rotation_schedule. - The amount of time in seconds in which the rotations are allowed - to occur starting from a given rotation_schedule. + description: |- + The amount of time, in seconds, in which rotations are allowed to occur starting + from a given rotation_schedule. + The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule. type: number username: - description: The database username that this static role corresponds - to. The database username that this role corresponds to. + description: |- + The database username that this static role corresponds to. + The database username that this role corresponds to. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The unique name of the Vault mount to configure. + description: |- + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object dbName: - description: The unique name of the database connection to use - for the static role. Database connection to use for this role. + description: |- + The unique name of the database connection to use for the static role. + Database connection to use for this role. type: string + dbNameRef: + description: Reference to a SecretBackendConnection in database + to populate dbName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbNameSelector: + description: Selector for a SecretBackendConnection in database + to populate dbName. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: A unique name to give the static role. Unique name - for the static role. + description: |- + A unique name to give the static role. + Unique name for the static role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string rotationPeriod: - description: The amount of time Vault should wait before rotating - the password, in seconds. Mutually exclusive with rotation_schedule. - The amount of time Vault should wait before rotating the password, - in seconds. + description: |- + The amount of time Vault should wait before rotating the password, in seconds. + Mutually exclusive with rotation_schedule. + The amount of time Vault should wait before rotating the password, in seconds. type: number rotationSchedule: - description: A cron-style string that will define the schedule - on which rotations should occur. Mutually exclusive with rotation_period. - A cron-style string that will define the schedule on which rotations - should occur. + description: |- + A cron-style string that will define the schedule on which rotations should occur. + Mutually exclusive with rotation_period. + A cron-style string that will define the schedule on which rotations should occur. type: string rotationStatements: - description: Database statements to execute to rotate the password - for the configured database user. Database statements to execute - to rotate the password for the configured database user. + description: |- + Database statements to execute to rotate the password for the configured database user. + Database statements to execute to rotate the password for the configured database user. items: type: string type: array rotationWindow: - description: The amount of time, in seconds, in which rotations - are allowed to occur starting from a given rotation_schedule. - The amount of time in seconds in which the rotations are allowed - to occur starting from a given rotation_schedule. + description: |- + The amount of time, in seconds, in which rotations are allowed to occur starting + from a given rotation_schedule. + The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule. type: number username: - description: The database username that this static role corresponds - to. The database username that this role corresponds to. + description: |- + The database username that this static role corresponds to. + The database username that this role corresponds to. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -208,9 +525,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -220,57 +538,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -280,17 +562,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -300,21 +584,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -329,21 +613,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -354,14 +639,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -377,22 +663,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: dbName is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.dbName) - || has(self.initProvider.dbName)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: username is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.username is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.username) - || has(self.initProvider.username)' + || (has(self.initProvider) && has(self.initProvider.username))' status: description: SecretBackendStaticRoleStatus defines the observed state of SecretBackendStaticRole. @@ -400,54 +678,59 @@ spec: atProvider: properties: backend: - description: The unique name of the Vault mount to configure. + description: |- + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. type: string dbName: - description: The unique name of the database connection to use - for the static role. Database connection to use for this role. + description: |- + The unique name of the database connection to use for the static role. + Database connection to use for this role. type: string id: type: string name: - description: A unique name to give the static role. Unique name - for the static role. + description: |- + A unique name to give the static role. + Unique name for the static role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string rotationPeriod: - description: The amount of time Vault should wait before rotating - the password, in seconds. Mutually exclusive with rotation_schedule. - The amount of time Vault should wait before rotating the password, - in seconds. + description: |- + The amount of time Vault should wait before rotating the password, in seconds. + Mutually exclusive with rotation_schedule. + The amount of time Vault should wait before rotating the password, in seconds. type: number rotationSchedule: - description: A cron-style string that will define the schedule - on which rotations should occur. Mutually exclusive with rotation_period. - A cron-style string that will define the schedule on which rotations - should occur. + description: |- + A cron-style string that will define the schedule on which rotations should occur. + Mutually exclusive with rotation_period. + A cron-style string that will define the schedule on which rotations should occur. type: string rotationStatements: - description: Database statements to execute to rotate the password - for the configured database user. Database statements to execute - to rotate the password for the configured database user. + description: |- + Database statements to execute to rotate the password for the configured database user. + Database statements to execute to rotate the password for the configured database user. items: type: string type: array rotationWindow: - description: The amount of time, in seconds, in which rotations - are allowed to occur starting from a given rotation_schedule. - The amount of time in seconds in which the rotations are allowed - to occur starting from a given rotation_schedule. + description: |- + The amount of time, in seconds, in which rotations are allowed to occur starting + from a given rotation_schedule. + The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule. type: number username: - description: The database username that this static role corresponds - to. The database username that this role corresponds to. + description: |- + The database username that this static role corresponds to. + The database username that this role corresponds to. type: string type: object conditions: @@ -456,14 +739,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -473,8 +765,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -483,6 +776,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/database.vault.upbound.io_secretsmounts.yaml b/package/crds/database.vault.upbound.io_secretsmounts.yaml index 702dc155..8dd71e51 100644 --- a/package/crds/database.vault.upbound.io_secretsmounts.yaml +++ b/package/crds/database.vault.upbound.io_secretsmounts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretsmounts.database.vault.upbound.io spec: group: database.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: any number of database secrets engines under a single mount resource properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,72 +74,84 @@ spec: forProvider: properties: allowedManagedKeys: - description: Set of managed key registry entry names that the - mount in question is allowed to access List of managed key registry - entry names that the mount in question is allowed to access + description: |- + Set of managed key registry entry names that the mount in question is allowed to access + List of managed key registry entry names that the mount in question is allowed to access + items: + type: string + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the request data object. Specifies the list - of keys that will not be HMAC'd by audit devices in the request - data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the response data object. Specifies the - list of keys that will not be HMAC'd by audit devices in the - response data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. items: type: string type: array cassandra: - description: A nested block containing configuration options for - Cassandra connections. See Connection parameters for the cassandra-database-plugin - plugin. + description: |- + A nested block containing configuration options for Cassandra connections. + See + Connection parameters for the cassandra-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular hosts: - description: The hosts to connect to. Cassandra hosts to - connect to. + description: |- + The hosts to connect to. + Cassandra hosts to connect to. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The password - to use when authenticating with Cassandra. + description: |- + The password to authenticate with. + The password to use when authenticating with Cassandra. properties: key: description: The key to select. @@ -150,10 +168,10 @@ spec: - namespace type: object pemBundleSecretRef: - description: Concatenated PEM blocks configuring the certificate - chain. Concatenated PEM blocks containing a certificate - and private key; a certificate, private key, and issuing - CA certificate; or just a CA certificate. + description: |- + Concatenated PEM blocks configuring the certificate + chain. + Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. properties: key: description: The key to select. @@ -170,10 +188,9 @@ spec: - namespace type: object pemJsonSecretRef: - description: A JSON structure configuring the certificate - chain. Specifies JSON containing a certificate and private - key; a certificate, private key, and issuing CA certificate; - or just a CA certificate. + description: |- + A JSON structure configuring the certificate chain. + Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. properties: key: description: The key to select. @@ -190,61 +207,65 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Cassandra. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Cassandra. type: number protocolVersion: - description: The CQL protocol version to use. The CQL protocol - version to use. + description: |- + The CQL protocol version to use. + The CQL protocol version to use. type: number rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. type: boolean username: - description: The username to authenticate with. The username - to use when authenticating with Cassandra. + description: |- + The username to authenticate with. + The username to use when authenticating with Cassandra. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array couchbase: - description: A nested block containing configuration options for - Couchbase connections. See Connection parameters for the couchbase-database-plugin - plugin. + description: |- + A nested block containing configuration options for Couchbase connections. + See + Connection parameters for the couchbase-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array base64PemSecretRef: - description: Required if tls is true. Specifies the certificate - authority of the Couchbase server, as a PEM certificate - that has been base64 encoded. Required if `tls` is `true`. - Specifies the certificate authority of the Couchbase server, - as a PEM certificate that has been base64 encoded. + description: |- + Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. properties: key: description: The key to select. @@ -261,39 +282,40 @@ spec: - namespace type: object bucketName: - description: Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. + description: |- + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular hosts: - description: The hosts to connect to. A set of Couchbase - URIs to connect to. Must use `couchbases://` scheme if - `tls` is `true`. + description: |- + The hosts to connect to. + A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. Specifies - the password corresponding to the given username. + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. properties: key: description: The key to select. @@ -310,102 +332,113 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean - required: - - passwordSecretRef type: object type: array defaultLeaseTtlSeconds: - description: Default lease duration for tokens and secrets in - seconds Default lease duration for tokens and secrets in seconds + description: |- + Default lease duration for tokens and secrets in seconds + Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: - description: Human-friendly description of the mount Human-friendly - description of the mount + description: |- + Human-friendly description of the mount + Human-friendly description of the mount type: string elasticsearch: - description: A nested block containing configuration options for - Elasticsearch connections. See Connection parameters for the - elasticsearch-database-plugin. + description: |- + A nested block containing configuration options for Elasticsearch connections. + See + Connection parameters for the elasticsearch-database-plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array caCert: - description: The path to a PEM-encoded CA cert file to use - to verify the Elasticsearch server's identity. The path - to a PEM-encoded CA cert file to use to verify the Elasticsearch - server's identity + description: |- + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity type: string caPath: - description: The path to a directory of PEM-encoded CA cert - files to use to verify the Elasticsearch server's identity. - The path to a directory of PEM-encoded CA cert files to - use to verify the Elasticsearch server's identity + description: |- + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity type: string clientCert: - description: The path to the certificate for the Elasticsearch - client to present for communication. The path to the certificate - for the Elasticsearch client to present for communication + description: |- + The path to the certificate for the Elasticsearch client to present for communication. + The path to the certificate for the Elasticsearch client to present for communication type: string clientKey: - description: The path to the key for the Elasticsearch client - to use for communication. The path to the key for the - Elasticsearch client to use for communication + description: |- + The path to the key for the Elasticsearch client to use for communication. + The path to the key for the Elasticsearch client to use for communication type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular insecure: - description: Whether to disable certificate verification. + description: |- + Whether to disable certificate verification. Whether to disable certificate verification type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The password - to be used in the connection URL + description: |- + The password to authenticate with. + The password to be used in the connection URL properties: key: description: The key to select. @@ -422,103 +455,112 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tlsServerName: - description: This, if set, is used to set the SNI host when - connecting via TLS. This, if set, is used to set the SNI - host when connecting via TLS + description: |- + This, if set, is used to set the SNI host when connecting via TLS. + This, if set, is used to set the SNI host when connecting via TLS type: string url: - description: The URL for Elasticsearch's API. https requires - certificate by trusted CA if used. The URL for Elasticsearch's - API + description: |- + The URL for Elasticsearch's API. https requires certificate + by trusted CA if used. + The URL for Elasticsearch's API type: string username: - description: The username to authenticate with. The username - to be used in the connection URL + description: |- + The username to authenticate with. + The username to be used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean - required: - - passwordSecretRef type: object type: array externalEntropyAccess: - description: Boolean flag that can be explicitly set to true to - enable the secrets engine to access Vault's external entropy - source Enable the secrets engine to access Vault's external - entropy source + description: |- + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source + Enable the secrets engine to access Vault's external entropy source type: boolean hana: - description: A nested block containing configuration options for - SAP HanaDB connections. See Connection parameters for the hana-database-plugin - plugin. + description: |- + A nested block containing configuration options for SAP HanaDB connections. + See + Connection parameters for the hana-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -535,71 +577,83 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string influxdb: - description: A nested block containing configuration options for - InfluxDB connections. See Connection parameters for the influxdb-database-plugin - plugin. + description: |- + A nested block containing configuration options for InfluxDB connections. + See + Connection parameters for the influxdb-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular host: - description: The host to connect to. Influxdb host to connect - to. + description: |- + The host to connect to. + Influxdb host to connect to. type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. Specifies - the password corresponding to the given username. + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. properties: key: description: The key to select. @@ -616,10 +670,10 @@ spec: - namespace type: object pemBundleSecretRef: - description: Concatenated PEM blocks configuring the certificate - chain. Concatenated PEM blocks containing a certificate - and private key; a certificate, private key, and issuing - CA certificate; or just a CA certificate. + description: |- + Concatenated PEM blocks configuring the certificate + chain. + Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. properties: key: description: The key to select. @@ -636,10 +690,9 @@ spec: - namespace type: object pemJsonSecretRef: - description: A JSON structure configuring the certificate - chain. Specifies JSON containing a certificate and private - key; a certificate, private key, and issuing CA certificate; - or just a CA certificate. + description: |- + A JSON structure configuring the certificate chain. + Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. properties: key: description: The key to select. @@ -656,101 +709,116 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Influxdb. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Influxdb. type: number rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. type: boolean username: - description: The username to authenticate with. Specifies - the username to use for superuser access. + description: |- + The username to authenticate with. + Specifies the username to use for superuser access. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean - required: - - passwordSecretRef type: object type: array + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint + type: string local: - description: Boolean flag that can be explicitly set to true to - enforce local mount in HA environment Local mount flag that - can be explicitly set to true to enforce local mount in HA environment + description: |- + Boolean flag that can be explicitly set to true to enforce local mount in HA environment + Local mount flag that can be explicitly set to true to enforce local mount in HA environment type: boolean maxLeaseTtlSeconds: - description: Maximum possible lease duration for tokens and secrets - in seconds Maximum possible lease duration for tokens and secrets - in seconds + description: |- + Maximum possible lease duration for tokens and secrets in seconds + Maximum possible lease duration for tokens and secrets in seconds type: number mongodb: - description: A nested block containing configuration options for - MongoDB connections. See Connection parameters for the mongodb-database-plugin - plugin. + description: |- + A nested block containing configuration options for MongoDB connections. + See + Connection parameters for the mongodb-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -767,68 +835,72 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mongodbatlas: - description: A nested block containing configuration options for - MongoDB Atlas connections. See Connection parameters for the - mongodbatlas-database-plugin plugin. + description: |- + A nested block containing configuration options for MongoDB Atlas connections. + See + Connection parameters for the mongodbatlas-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string privateKeySecretRef: - description: The Private Programmatic API Key used to connect - with MongoDB Atlas API. The Private Programmatic API Key - used to connect with MongoDB Atlas API. + description: |- + The Private Programmatic API Key used to connect with MongoDB Atlas API. + The Private Programmatic API Key used to connect with MongoDB Atlas API. properties: key: description: The key to select. @@ -845,88 +917,98 @@ spec: - namespace type: object projectId: - description: The Project ID the Database User should be - created within. The Project ID the Database User should - be created within. + description: |- + The Project ID the Database User should be created within. + The Project ID the Database User should be created within. type: string publicKey: - description: The Public Programmatic API Key used to authenticate - with the MongoDB Atlas API. The Public Programmatic API - Key used to authenticate with the MongoDB Atlas API. + description: |- + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean - required: - - privateKeySecretRef type: object type: array mssql: - description: A nested block containing configuration options for - MSSQL connections. See Connection parameters for the mssql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MSSQL connections. + See + Connection parameters for the mssql-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string containedDb: - description: For Vault v1.9+. Set to true when the target - is a Contained Database, e.g. AzureSQL. See Vault docs - Set to true when the target is a Contained Database, e.g. - AzureSQL. + description: |- + For Vault v1.9+. Set to true when the target is a + Contained Database, e.g. AzureSQL. + See Vault docs + Set to true when the target is a Contained Database, e.g. AzureSQL. type: boolean data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -943,43 +1025,47 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysql: - description: A nested block containing configuration options for - MySQL connections. See Connection parameters for the mysql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MySQL connections. + See + Connection parameters for the mysql-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -988,38 +1074,46 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1036,15 +1130,14 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array @@ -1067,17 +1160,14 @@ spec: - namespace type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string tlsCertificateKeySecretRef: - description: x509 certificate for connecting to the database. - This must be a PEM encoded version of the private key - and the certificate combined. x509 certificate for connecting - to the database. This must be a PEM encoded version of - the private key and the certificate combined. + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. properties: key: description: The key to select. @@ -1094,30 +1184,35 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysqlAurora: - description: A nested block containing configuration options for - Aurora MySQL connections. See Connection parameters for the - mysql-aurora-database-plugin plugin. + description: |- + A nested block containing configuration options for Aurora MySQL connections. + See + Connection parameters for the mysql-aurora-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -1126,38 +1221,46 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1174,15 +1277,14 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array @@ -1205,17 +1307,14 @@ spec: - namespace type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string tlsCertificateKeySecretRef: - description: x509 certificate for connecting to the database. - This must be a PEM encoded version of the private key - and the certificate combined. x509 certificate for connecting - to the database. This must be a PEM encoded version of - the private key and the certificate combined. + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. properties: key: description: The key to select. @@ -1232,30 +1331,35 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysqlLegacy: - description: A nested block containing configuration options for - legacy MySQL connections. See Connection parameters for the - mysql-legacy-database-plugin plugin. + description: |- + A nested block containing configuration options for legacy MySQL connections. + See + Connection parameters for the mysql-legacy-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -1264,38 +1368,46 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1312,15 +1424,14 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array @@ -1343,17 +1454,14 @@ spec: - namespace type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string tlsCertificateKeySecretRef: - description: x509 certificate for connecting to the database. - This must be a PEM encoded version of the private key - and the certificate combined. x509 certificate for connecting - to the database. This must be a PEM encoded version of - the private key and the certificate combined. + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. properties: key: description: The key to select. @@ -1370,30 +1478,35 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysqlRds: - description: A nested block containing configuration options for - RDS MySQL connections. See Connection parameters for the mysql-rds-database-plugin - plugin. + description: |- + A nested block containing configuration options for RDS MySQL connections. + See + Connection parameters for the mysql-rds-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -1402,38 +1515,46 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1450,15 +1571,14 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array @@ -1481,17 +1601,14 @@ spec: - namespace type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string tlsCertificateKeySecretRef: - description: x509 certificate for connecting to the database. - This must be a PEM encoded version of the private key - and the certificate combined. x509 certificate for connecting - to the database. This must be a PEM encoded version of - the private key and the certificate combined. + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. properties: key: description: The key to select. @@ -1508,17 +1625,20 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array @@ -1528,60 +1648,71 @@ spec: options: additionalProperties: type: string - description: Specifies mount type specific options that are passed - to the backend Specifies mount type specific options that are - passed to the backend + description: |- + Specifies mount type specific options that are passed to the backend + Specifies mount type specific options that are passed to the backend type: object + x-kubernetes-map-type: granular oracle: - description: A nested block containing configuration options for - Oracle connections. See Connection parameters for the oracle-database-plugin - plugin. + description: |- + A nested block containing configuration options for Oracle connections. + See + Connection parameters for the oracle-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disconnectSessions: description: Set to true to disconnect any open sessions prior to running the revocation statements. type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1598,15 +1729,14 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array @@ -1615,34 +1745,50 @@ spec: semi-colons. type: boolean username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: - description: Where the secret backend will be mounted Where the - secret backend will be mounted + description: |- + Where the secret backend will be mounted + Where the secret backend will be mounted + type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' type: string postgresql: - description: A nested block containing configuration options for - PostgreSQL connections. See Connection parameters for the postgresql-database-plugin - plugin. + description: |- + A nested block containing configuration options for PostgreSQL connections. + See + Connection parameters for the postgresql-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -1651,43 +1797,51 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -1704,15 +1858,14 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array @@ -1735,63 +1888,71 @@ spec: - namespace type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array redis: - description: A nested block containing configuration options for - Redis connections. See Connection parameters for the redis-database-plugin - plugin. + description: |- + A nested block containing configuration options for Redis connections. + See + Connection parameters for the redis-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array caCert: - description: The path to a PEM-encoded CA cert file to use - to verify the Elasticsearch server's identity. The contents - of a PEM-encoded CA cert file to use to verify the Redis - server's identity. + description: |- + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular host: - description: The host to connect to. Specifies the host - to connect to + description: |- + The host to connect to. + Specifies the host to connect to type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. Specifies - the password corresponding to the given username. + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. properties: key: description: The key to select. @@ -1808,69 +1969,73 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Redis. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Redis. type: number rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean - required: - - passwordSecretRef type: object type: array redisElasticache: - description: A nested block containing configuration options for - Redis ElastiCache connections. See Connection parameters for - the redis-elasticache-database-plugin plugin. + description: |- + A nested block containing configuration options for Redis ElastiCache connections. + See + Connection parameters for the redis-elasticache-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The AWS - secret key id to use to talk to ElastiCache. If omitted - the credentials chain provider is used instead. + description: |- + The password to authenticate with. + The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. properties: key: description: The key to select. @@ -1887,34 +2052,33 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string region: - description: The AWS region where the ElastiCache cluster - is hosted. If omitted the plugin tries to infer the region - from the environment. The AWS region where the ElastiCache - cluster is hosted. If omitted the plugin tries to infer - the region from the environment. + description: |- + The AWS region where the ElastiCache cluster is hosted. + If omitted the plugin tries to infer the region from the environment. + The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array url: - description: The URL for Elasticsearch's API. https requires - certificate by trusted CA if used. The configuration endpoint - for the ElastiCache cluster to connect to. + description: |- + The URL for Elasticsearch's API. https requires certificate + by trusted CA if used. + The configuration endpoint for the ElastiCache cluster to connect to. type: string usernameSecretRef: - description: The username to authenticate with. The AWS - access key id to use to talk to ElastiCache. If omitted - the credentials chain provider is used instead. + description: |- + The username to authenticate with. + The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. properties: key: description: The key to select. @@ -1931,63 +2095,74 @@ spec: - namespace type: object verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array redshift: - description: A nested block containing configuration options for - AWS Redshift connections. See Connection parameters for the - redshift-database-plugin plugin. + description: |- + A nested block containing configuration options for AWS Redshift connections. + See + Connection parameters for the redshift-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -2004,86 +2179,96 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array sealWrap: - description: Boolean flag that can be explicitly set to true to - enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability - Enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability + description: |- + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability type: boolean snowflake: - description: A nested block containing configuration options for - Snowflake connections. See Connection parameters for the snowflake-database-plugin - plugin. + description: |- + A nested block containing configuration options for Snowflake connections. + See + Connection parameters for the snowflake-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string passwordSecretRef: - description: The password to authenticate with. The root - credential password used in the connection URL + description: |- + The password to authenticate with. + The root credential password used in the connection URL properties: key: description: The key to select. @@ -2100,706 +2285,1050 @@ spec: - namespace type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowedManagedKeys: - description: Set of managed key registry entry names that the - mount in question is allowed to access List of managed key registry - entry names that the mount in question is allowed to access + description: |- + Set of managed key registry entry names that the mount in question is allowed to access + List of managed key registry entry names that the mount in question is allowed to access + items: + type: string + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the request data object. Specifies the list - of keys that will not be HMAC'd by audit devices in the request - data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the response data object. Specifies the - list of keys that will not be HMAC'd by audit devices in the - response data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. items: type: string type: array cassandra: - description: A nested block containing configuration options for - Cassandra connections. See Connection parameters for the cassandra-database-plugin - plugin. + description: |- + A nested block containing configuration options for Cassandra connections. + See + Connection parameters for the cassandra-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular hosts: - description: The hosts to connect to. Cassandra hosts to - connect to. + description: |- + The hosts to connect to. + Cassandra hosts to connect to. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The password to use when authenticating with Cassandra. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + pemBundleSecretRef: + description: |- + Concatenated PEM blocks configuring the certificate + chain. + Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + pemJsonSecretRef: + description: |- + A JSON structure configuring the certificate chain. + Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Cassandra. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Cassandra. type: number protocolVersion: - description: The CQL protocol version to use. The CQL protocol - version to use. + description: |- + The CQL protocol version to use. + The CQL protocol version to use. type: number rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. type: boolean username: - description: The username to authenticate with. The username - to use when authenticating with Cassandra. + description: |- + The username to authenticate with. + The username to use when authenticating with Cassandra. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array couchbase: - description: A nested block containing configuration options for - Couchbase connections. See Connection parameters for the couchbase-database-plugin - plugin. + description: |- + A nested block containing configuration options for Couchbase connections. + See + Connection parameters for the couchbase-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array + base64PemSecretRef: + description: |- + Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object bucketName: - description: Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. + description: |- + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular hosts: - description: The hosts to connect to. A set of Couchbase - URIs to connect to. Must use `couchbases://` scheme if - `tls` is `true`. + description: |- + The hosts to connect to. + A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean + required: + - passwordSecretRef type: object type: array defaultLeaseTtlSeconds: - description: Default lease duration for tokens and secrets in - seconds Default lease duration for tokens and secrets in seconds + description: |- + Default lease duration for tokens and secrets in seconds + Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: - description: Human-friendly description of the mount Human-friendly - description of the mount + description: |- + Human-friendly description of the mount + Human-friendly description of the mount type: string elasticsearch: - description: A nested block containing configuration options for - Elasticsearch connections. See Connection parameters for the - elasticsearch-database-plugin. + description: |- + A nested block containing configuration options for Elasticsearch connections. + See + Connection parameters for the elasticsearch-database-plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array caCert: - description: The path to a PEM-encoded CA cert file to use - to verify the Elasticsearch server's identity. The path - to a PEM-encoded CA cert file to use to verify the Elasticsearch - server's identity + description: |- + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity type: string caPath: - description: The path to a directory of PEM-encoded CA cert - files to use to verify the Elasticsearch server's identity. - The path to a directory of PEM-encoded CA cert files to - use to verify the Elasticsearch server's identity + description: |- + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity type: string clientCert: - description: The path to the certificate for the Elasticsearch - client to present for communication. The path to the certificate - for the Elasticsearch client to present for communication + description: |- + The path to the certificate for the Elasticsearch client to present for communication. + The path to the certificate for the Elasticsearch client to present for communication type: string clientKey: - description: The path to the key for the Elasticsearch client - to use for communication. The path to the key for the - Elasticsearch client to use for communication + description: |- + The path to the key for the Elasticsearch client to use for communication. + The path to the key for the Elasticsearch client to use for communication type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular insecure: - description: Whether to disable certificate verification. + description: |- + Whether to disable certificate verification. Whether to disable certificate verification type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The password to be used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tlsServerName: - description: This, if set, is used to set the SNI host when - connecting via TLS. This, if set, is used to set the SNI - host when connecting via TLS + description: |- + This, if set, is used to set the SNI host when connecting via TLS. + This, if set, is used to set the SNI host when connecting via TLS type: string url: - description: The URL for Elasticsearch's API. https requires - certificate by trusted CA if used. The URL for Elasticsearch's - API + description: |- + The URL for Elasticsearch's API. https requires certificate + by trusted CA if used. + The URL for Elasticsearch's API type: string username: - description: The username to authenticate with. The username - to be used in the connection URL + description: |- + The username to authenticate with. + The username to be used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean + required: + - passwordSecretRef type: object type: array externalEntropyAccess: - description: Boolean flag that can be explicitly set to true to - enable the secrets engine to access Vault's external entropy - source Enable the secrets engine to access Vault's external - entropy source + description: |- + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source + Enable the secrets engine to access Vault's external entropy source type: boolean hana: - description: A nested block containing configuration options for - SAP HanaDB connections. See Connection parameters for the hana-database-plugin - plugin. + description: |- + A nested block containing configuration options for SAP HanaDB connections. + See + Connection parameters for the hana-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string influxdb: - description: A nested block containing configuration options for - InfluxDB connections. See Connection parameters for the influxdb-database-plugin - plugin. + description: |- + A nested block containing configuration options for InfluxDB connections. + See + Connection parameters for the influxdb-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular host: - description: The host to connect to. Influxdb host to connect - to. + description: |- + The host to connect to. + Influxdb host to connect to. type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + pemBundleSecretRef: + description: |- + Concatenated PEM blocks configuring the certificate + chain. + Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + pemJsonSecretRef: + description: |- + A JSON structure configuring the certificate chain. + Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Influxdb. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Influxdb. type: number rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. type: boolean username: - description: The username to authenticate with. Specifies - the username to use for superuser access. + description: |- + The username to authenticate with. + Specifies the username to use for superuser access. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean + required: + - passwordSecretRef type: object type: array + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint + type: string local: - description: Boolean flag that can be explicitly set to true to - enforce local mount in HA environment Local mount flag that - can be explicitly set to true to enforce local mount in HA environment + description: |- + Boolean flag that can be explicitly set to true to enforce local mount in HA environment + Local mount flag that can be explicitly set to true to enforce local mount in HA environment type: boolean maxLeaseTtlSeconds: - description: Maximum possible lease duration for tokens and secrets - in seconds Maximum possible lease duration for tokens and secrets - in seconds + description: |- + Maximum possible lease duration for tokens and secrets in seconds + Maximum possible lease duration for tokens and secrets in seconds type: number mongodb: - description: A nested block containing configuration options for - MongoDB connections. See Connection parameters for the mongodb-database-plugin - plugin. + description: |- + A nested block containing configuration options for MongoDB connections. + See + Connection parameters for the mongodb-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mongodbatlas: - description: A nested block containing configuration options for - MongoDB Atlas connections. See Connection parameters for the - mongodbatlas-database-plugin plugin. + description: |- + A nested block containing configuration options for MongoDB Atlas connections. + See + Connection parameters for the mongodbatlas-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string + privateKeySecretRef: + description: |- + The Private Programmatic API Key used to connect with MongoDB Atlas API. + The Private Programmatic API Key used to connect with MongoDB Atlas API. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object projectId: - description: The Project ID the Database User should be - created within. The Project ID the Database User should - be created within. + description: |- + The Project ID the Database User should be created within. + The Project ID the Database User should be created within. type: string publicKey: - description: The Public Programmatic API Key used to authenticate - with the MongoDB Atlas API. The Public Programmatic API - Key used to authenticate with the MongoDB Atlas API. + description: |- + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean + required: + - privateKeySecretRef type: object type: array mssql: - description: A nested block containing configuration options for - MSSQL connections. See Connection parameters for the mssql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MSSQL connections. + See + Connection parameters for the mssql-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string containedDb: - description: For Vault v1.9+. Set to true when the target - is a Contained Database, e.g. AzureSQL. See Vault docs - Set to true when the target is a Contained Database, e.g. - AzureSQL. + description: |- + For Vault v1.9+. Set to true when the target is a + Contained Database, e.g. AzureSQL. + See Vault docs + Set to true when the target is a Contained Database, e.g. AzureSQL. type: boolean data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string - pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. - type: string - rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. - items: - type: string - type: array - username: - description: The username to authenticate with. The root - credential username used in the connection URL - type: string - usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. - type: string - verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. - type: boolean - type: object + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + pluginName: + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + type: string + rootRotationStatements: + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. + items: + type: string + type: array + username: + description: |- + The username to authenticate with. + The root credential username used in the connection URL + type: string + usernameTemplate: + description: |- + Template describing how dynamic usernames are generated. + Username generation template. + type: string + verifyConnection: + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. + type: boolean + type: object type: array mysql: - description: A nested block containing configuration options for - MySQL connections. See Connection parameters for the mysql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MySQL connections. + See + Connection parameters for the mysql-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -2808,79 +3337,145 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array + serviceAccountJsonSecretRef: + description: A JSON encoded credential for use with IAM + authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string + tlsCertificateKeySecretRef: + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysqlAurora: - description: A nested block containing configuration options for - Aurora MySQL connections. See Connection parameters for the - mysql-aurora-database-plugin plugin. + description: |- + A nested block containing configuration options for Aurora MySQL connections. + See + Connection parameters for the mysql-aurora-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -2889,79 +3484,145 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array + serviceAccountJsonSecretRef: + description: A JSON encoded credential for use with IAM + authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string + tlsCertificateKeySecretRef: + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysqlLegacy: - description: A nested block containing configuration options for - legacy MySQL connections. See Connection parameters for the - mysql-legacy-database-plugin plugin. + description: |- + A nested block containing configuration options for legacy MySQL connections. + See + Connection parameters for the mysql-legacy-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -2970,79 +3631,145 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array + serviceAccountJsonSecretRef: + description: A JSON encoded credential for use with IAM + authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string + tlsCertificateKeySecretRef: + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysqlRds: - description: A nested block containing configuration options for - RDS MySQL connections. See Connection parameters for the mysql-rds-database-plugin - plugin. + description: |- + A nested block containing configuration options for RDS MySQL connections. + See + Connection parameters for the mysql-rds-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -3051,66 +3778,130 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array + serviceAccountJsonSecretRef: + description: A JSON encoded credential for use with IAM + authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string + tlsCertificateKeySecretRef: + description: |- + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array @@ -3120,67 +3911,95 @@ spec: options: additionalProperties: type: string - description: Specifies mount type specific options that are passed - to the backend Specifies mount type specific options that are - passed to the backend + description: |- + Specifies mount type specific options that are passed to the backend + Specifies mount type specific options that are passed to the backend type: object + x-kubernetes-map-type: granular oracle: - description: A nested block containing configuration options for - Oracle connections. See Connection parameters for the oracle-database-plugin - plugin. + description: |- + A nested block containing configuration options for Oracle connections. + See + Connection parameters for the oracle-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disconnectSessions: description: Set to true to disconnect any open sessions prior to running the revocation statements. type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array @@ -3189,34 +4008,50 @@ spec: semi-colons. type: boolean username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: - description: Where the secret backend will be mounted Where the - secret backend will be mounted + description: |- + Where the secret backend will be mounted + Where the secret backend will be mounted + type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' type: string postgresql: - description: A nested block containing configuration options for - PostgreSQL connections. See Connection parameters for the postgresql-database-plugin - plugin. + description: |- + A nested block containing configuration options for PostgreSQL connections. + See + Connection parameters for the postgresql-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -3225,349 +4060,522 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array + serviceAccountJsonSecretRef: + description: A JSON encoded credential for use with IAM + authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array redis: - description: A nested block containing configuration options for - Redis connections. See Connection parameters for the redis-database-plugin - plugin. + description: |- + A nested block containing configuration options for Redis connections. + See + Connection parameters for the redis-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array caCert: - description: The path to a PEM-encoded CA cert file to use - to verify the Elasticsearch server's identity. The contents - of a PEM-encoded CA cert file to use to verify the Redis - server's identity. + description: |- + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular host: - description: The host to connect to. Specifies the host - to connect to + description: |- + The host to connect to. + Specifies the host to connect to type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + Specifies the password corresponding to the given username. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Redis. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Redis. type: number rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean + required: + - passwordSecretRef type: object type: array redisElasticache: - description: A nested block containing configuration options for - Redis ElastiCache connections. See Connection parameters for - the redis-elasticache-database-plugin plugin. + description: |- + A nested block containing configuration options for Redis ElastiCache connections. + See + Connection parameters for the redis-elasticache-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string region: - description: The AWS region where the ElastiCache cluster - is hosted. If omitted the plugin tries to infer the region - from the environment. The AWS region where the ElastiCache - cluster is hosted. If omitted the plugin tries to infer - the region from the environment. + description: |- + The AWS region where the ElastiCache cluster is hosted. + If omitted the plugin tries to infer the region from the environment. + The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array url: - description: The URL for Elasticsearch's API. https requires - certificate by trusted CA if used. The configuration endpoint - for the ElastiCache cluster to connect to. + description: |- + The URL for Elasticsearch's API. https requires certificate + by trusted CA if used. + The configuration endpoint for the ElastiCache cluster to connect to. type: string + usernameSecretRef: + description: |- + The username to authenticate with. + The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array redshift: - description: A nested block containing configuration options for - AWS Redshift connections. See Connection parameters for the - redshift-database-plugin plugin. + description: |- + A nested block containing configuration options for AWS Redshift connections. + See + Connection parameters for the redshift-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array sealWrap: - description: Boolean flag that can be explicitly set to true to - enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability - Enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability + description: |- + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability type: boolean snowflake: - description: A nested block containing configuration options for - Snowflake connections. See Connection parameters for the snowflake-database-plugin - plugin. + description: |- + A nested block containing configuration options for Snowflake connections. + See + Connection parameters for the snowflake-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string + passwordSecretRef: + description: |- + The password to authenticate with. + The root credential password used in the connection URL + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array @@ -3575,20 +4583,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -3601,45 +4610,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -3649,21 +4623,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -3673,17 +4647,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -3693,21 +4669,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -3722,21 +4698,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -3747,14 +4724,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -3770,10 +4748,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: path is a required parameter + - message: spec.forProvider.path is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.path))' status: description: SecretsMountStatus defines the observed state of SecretsMount. properties: @@ -3783,671 +4761,756 @@ spec: description: Accessor of the mount type: string allowedManagedKeys: - description: Set of managed key registry entry names that the - mount in question is allowed to access List of managed key registry - entry names that the mount in question is allowed to access + description: |- + Set of managed key registry entry names that the mount in question is allowed to access + List of managed key registry entry names that the mount in question is allowed to access + items: + type: string + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the request data object. Specifies the list - of keys that will not be HMAC'd by audit devices in the request - data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the response data object. Specifies the - list of keys that will not be HMAC'd by audit devices in the - response data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. items: type: string type: array cassandra: - description: A nested block containing configuration options for - Cassandra connections. See Connection parameters for the cassandra-database-plugin - plugin. + description: |- + A nested block containing configuration options for Cassandra connections. + See + Connection parameters for the cassandra-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular hosts: - description: The hosts to connect to. Cassandra hosts to - connect to. + description: |- + The hosts to connect to. + Cassandra hosts to connect to. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Cassandra. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Cassandra. type: number protocolVersion: - description: The CQL protocol version to use. The CQL protocol - version to use. + description: |- + The CQL protocol version to use. + The CQL protocol version to use. type: number rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. type: boolean username: - description: The username to authenticate with. The username - to use when authenticating with Cassandra. + description: |- + The username to authenticate with. + The username to use when authenticating with Cassandra. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array couchbase: - description: A nested block containing configuration options for - Couchbase connections. See Connection parameters for the couchbase-database-plugin - plugin. + description: |- + A nested block containing configuration options for Couchbase connections. + See + Connection parameters for the couchbase-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array bucketName: - description: Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. Required for Couchbase versions prior to 6.5.0. - This is only used to verify vault's connection to the - server. + description: |- + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular hosts: - description: The hosts to connect to. A set of Couchbase - URIs to connect to. Must use `couchbases://` scheme if - `tls` is `true`. + description: |- + The hosts to connect to. + A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. items: type: string type: array insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array defaultLeaseTtlSeconds: - description: Default lease duration for tokens and secrets in - seconds Default lease duration for tokens and secrets in seconds + description: |- + Default lease duration for tokens and secrets in seconds + Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: - description: Human-friendly description of the mount Human-friendly - description of the mount + description: |- + Human-friendly description of the mount + Human-friendly description of the mount type: string elasticsearch: - description: A nested block containing configuration options for - Elasticsearch connections. See Connection parameters for the - elasticsearch-database-plugin. + description: |- + A nested block containing configuration options for Elasticsearch connections. + See + Connection parameters for the elasticsearch-database-plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array caCert: - description: The path to a PEM-encoded CA cert file to use - to verify the Elasticsearch server's identity. The path - to a PEM-encoded CA cert file to use to verify the Elasticsearch - server's identity + description: |- + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity type: string caPath: - description: The path to a directory of PEM-encoded CA cert - files to use to verify the Elasticsearch server's identity. - The path to a directory of PEM-encoded CA cert files to - use to verify the Elasticsearch server's identity + description: |- + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity type: string clientCert: - description: The path to the certificate for the Elasticsearch - client to present for communication. The path to the certificate - for the Elasticsearch client to present for communication + description: |- + The path to the certificate for the Elasticsearch client to present for communication. + The path to the certificate for the Elasticsearch client to present for communication type: string clientKey: - description: The path to the key for the Elasticsearch client - to use for communication. The path to the key for the - Elasticsearch client to use for communication + description: |- + The path to the key for the Elasticsearch client to use for communication. + The path to the key for the Elasticsearch client to use for communication type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular insecure: - description: Whether to disable certificate verification. + description: |- + Whether to disable certificate verification. Whether to disable certificate verification type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tlsServerName: - description: This, if set, is used to set the SNI host when - connecting via TLS. This, if set, is used to set the SNI - host when connecting via TLS + description: |- + This, if set, is used to set the SNI host when connecting via TLS. + This, if set, is used to set the SNI host when connecting via TLS type: string url: - description: The URL for Elasticsearch's API. https requires - certificate by trusted CA if used. The URL for Elasticsearch's - API + description: |- + The URL for Elasticsearch's API. https requires certificate + by trusted CA if used. + The URL for Elasticsearch's API type: string username: - description: The username to authenticate with. The username - to be used in the connection URL + description: |- + The username to authenticate with. + The username to be used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array engineCount: - description: The total number of database secrets engines configured. - Total number of database secret engines configured under the - mount. + description: |- + The total number of database secrets engines configured. + Total number of database secret engines configured under the mount. type: number externalEntropyAccess: - description: Boolean flag that can be explicitly set to true to - enable the secrets engine to access Vault's external entropy - source Enable the secrets engine to access Vault's external - entropy source + description: |- + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source + Enable the secrets engine to access Vault's external entropy source type: boolean hana: - description: A nested block containing configuration options for - SAP HanaDB connections. See Connection parameters for the hana-database-plugin - plugin. + description: |- + A nested block containing configuration options for SAP HanaDB connections. + See + Connection parameters for the hana-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array id: type: string + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string influxdb: - description: A nested block containing configuration options for - InfluxDB connections. See Connection parameters for the influxdb-database-plugin - plugin. + description: |- + A nested block containing configuration options for InfluxDB connections. + See + Connection parameters for the influxdb-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectTimeout: - description: The number of seconds to use as a connection - timeout. The number of seconds to use as a connection + description: |- + The number of seconds to use as a connection timeout. + The number of seconds to use as a connection timeout. type: number data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular host: - description: The host to connect to. Influxdb host to connect - to. + description: |- + The host to connect to. + Influxdb host to connect to. type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Whether to skip verification - of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Influxdb. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Influxdb. type: number rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. type: boolean username: - description: The username to authenticate with. Specifies - the username to use for superuser access. + description: |- + The username to authenticate with. + Specifies the username to use for superuser access. type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Template describing how dynamic usernames are - generated. + description: |- + Template describing how dynamic usernames are generated. + Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint + type: string local: - description: Boolean flag that can be explicitly set to true to - enforce local mount in HA environment Local mount flag that - can be explicitly set to true to enforce local mount in HA environment + description: |- + Boolean flag that can be explicitly set to true to enforce local mount in HA environment + Local mount flag that can be explicitly set to true to enforce local mount in HA environment type: boolean maxLeaseTtlSeconds: - description: Maximum possible lease duration for tokens and secrets - in seconds Maximum possible lease duration for tokens and secrets - in seconds + description: |- + Maximum possible lease duration for tokens and secrets in seconds + Maximum possible lease duration for tokens and secrets in seconds type: number mongodb: - description: A nested block containing configuration options for - MongoDB connections. See Connection parameters for the mongodb-database-plugin - plugin. + description: |- + A nested block containing configuration options for MongoDB connections. + See + Connection parameters for the mongodb-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mongodbatlas: - description: A nested block containing configuration options for - MongoDB Atlas connections. See Connection parameters for the - mongodbatlas-database-plugin plugin. + description: |- + A nested block containing configuration options for MongoDB Atlas connections. + See + Connection parameters for the mongodbatlas-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string projectId: - description: The Project ID the Database User should be - created within. The Project ID the Database User should - be created within. + description: |- + The Project ID the Database User should be created within. + The Project ID the Database User should be created within. type: string publicKey: - description: The Public Programmatic API Key used to authenticate - with the MongoDB Atlas API. The Public Programmatic API - Key used to authenticate with the MongoDB Atlas API. + description: |- + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mssql: - description: A nested block containing configuration options for - MSSQL connections. See Connection parameters for the mssql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MSSQL connections. + See + Connection parameters for the mssql-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string containedDb: - description: For Vault v1.9+. Set to true when the target - is a Contained Database, e.g. AzureSQL. See Vault docs - Set to true when the target is a Contained Database, e.g. - AzureSQL. + description: |- + For Vault v1.9+. Set to true when the target is a + Contained Database, e.g. AzureSQL. + See Vault docs + Set to true when the target is a Contained Database, e.g. AzureSQL. type: boolean data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysql: - description: A nested block containing configuration options for - MySQL connections. See Connection parameters for the mysql-database-plugin - plugin. + description: |- + A nested block containing configuration options for MySQL connections. + See + Connection parameters for the mysql-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -4456,79 +5519,89 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysqlAurora: - description: A nested block containing configuration options for - Aurora MySQL connections. See Connection parameters for the - mysql-aurora-database-plugin plugin. + description: |- + A nested block containing configuration options for Aurora MySQL connections. + See + Connection parameters for the mysql-aurora-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -4537,79 +5610,89 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysqlLegacy: - description: A nested block containing configuration options for - legacy MySQL connections. See Connection parameters for the - mysql-legacy-database-plugin plugin. + description: |- + A nested block containing configuration options for legacy MySQL connections. + See + Connection parameters for the mysql-legacy-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -4618,79 +5701,89 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array mysqlRds: - description: A nested block containing configuration options for - RDS MySQL connections. See Connection parameters for the mysql-rds-database-plugin - plugin. + description: |- + A nested block containing configuration options for RDS MySQL connections. + See + Connection parameters for the mysql-rds-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -4699,66 +5792,74 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tlsCa: - description: x509 CA file for validating the certificate - presented by the MySQL server. Must be PEM encoded. x509 - CA file for validating the certificate presented by the - MySQL server. Must be PEM encoded. + description: |- + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. type: string username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array @@ -4768,67 +5869,76 @@ spec: options: additionalProperties: type: string - description: Specifies mount type specific options that are passed - to the backend Specifies mount type specific options that are - passed to the backend + description: |- + Specifies mount type specific options that are passed to the backend + Specifies mount type specific options that are passed to the backend type: object + x-kubernetes-map-type: granular oracle: - description: A nested block containing configuration options for - Oracle connections. See Connection parameters for the oracle-database-plugin - plugin. + description: |- + A nested block containing configuration options for Oracle connections. + See + Connection parameters for the oracle-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disconnectSessions: description: Set to true to disconnect any open sessions prior to running the revocation statements. type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array @@ -4837,34 +5947,50 @@ spec: semi-colons. type: boolean username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: - description: Where the secret backend will be mounted Where the - secret backend will be mounted + description: |- + Where the secret backend will be mounted + Where the secret backend will be mounted + type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' type: string postgresql: - description: A nested block containing configuration options for - PostgreSQL connections. See Connection parameters for the postgresql-database-plugin - plugin. + description: |- + A nested block containing configuration options for PostgreSQL connections. + See + Connection parameters for the postgresql-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array @@ -4873,349 +5999,388 @@ spec: 'gcp_iam' is valid currently) type: string connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array redis: - description: A nested block containing configuration options for - Redis connections. See Connection parameters for the redis-database-plugin - plugin. + description: |- + A nested block containing configuration options for Redis connections. + See + Connection parameters for the redis-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array caCert: - description: The path to a PEM-encoded CA cert file to use - to verify the Elasticsearch server's identity. The contents - of a PEM-encoded CA cert file to use to verify the Redis - server's identity. + description: |- + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular host: - description: The host to connect to. Specifies the host - to connect to + description: |- + The host to connect to. + Specifies the host to connect to type: string insecureTls: - description: Whether to skip verification of the server - certificate when using TLS. Specifies whether to skip - verification of the server certificate when using TLS. + description: |- + Whether to skip verification of the server + certificate when using TLS. + Specifies whether to skip verification of the server certificate when using TLS. type: boolean name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string port: - description: The default port to connect to if no port is - specified as part of the host. The transport port to use - to connect to Redis. + description: |- + The default port to connect to if no port is specified as + part of the host. + The transport port to use to connect to Redis. type: number rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array tls: - description: Whether to use TLS when connecting to Cassandra. + description: |- + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. type: boolean username: - description: The username to authenticate with. Specifies - the username for Vault to use. + description: |- + The username to authenticate with. + Specifies the username for Vault to use. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array redisElasticache: - description: A nested block containing configuration options for - Redis ElastiCache connections. See Connection parameters for - the redis-elasticache-database-plugin plugin. + description: |- + A nested block containing configuration options for Redis ElastiCache connections. + See + Connection parameters for the redis-elasticache-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string region: - description: The AWS region where the ElastiCache cluster - is hosted. If omitted the plugin tries to infer the region - from the environment. The AWS region where the ElastiCache - cluster is hosted. If omitted the plugin tries to infer - the region from the environment. + description: |- + The AWS region where the ElastiCache cluster is hosted. + If omitted the plugin tries to infer the region from the environment. + The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array url: - description: The URL for Elasticsearch's API. https requires - certificate by trusted CA if used. The configuration endpoint - for the ElastiCache cluster to connect to. + description: |- + The URL for Elasticsearch's API. https requires certificate + by trusted CA if used. + The configuration endpoint for the ElastiCache cluster to connect to. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array redshift: - description: A nested block containing configuration options for - AWS Redshift connections. See Connection parameters for the - redshift-database-plugin plugin. + description: |- + A nested block containing configuration options for AWS Redshift connections. + See + Connection parameters for the redshift-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular disableEscaping: - description: Disable special character escaping in username - and password. Disable special character escaping in username - and password + description: |- + Disable special character escaping in username and password. + Disable special character escaping in username and password type: boolean maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array sealWrap: - description: Boolean flag that can be explicitly set to true to - enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability - Enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability + description: |- + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability type: boolean snowflake: - description: A nested block containing configuration options for - Snowflake connections. See Connection parameters for the snowflake-database-plugin - plugin. + description: |- + A nested block containing configuration options for Snowflake connections. + See + Connection parameters for the snowflake-database-plugin plugin. items: properties: allowedRoles: - description: A list of roles that are allowed to use this - connection. A list of roles that are allowed to use this + description: |- + A list of roles that are allowed to use this connection. + A list of roles that are allowed to use this connection. items: type: string type: array connectionUrl: - description: A URL containing connection information. See - Vault docs Connection string to use to connect to the - database. + description: |- + A URL containing connection information. + See Vault docs + Connection string to use to connect to the database. type: string data: additionalProperties: type: string - description: A map of sensitive data to pass to the endpoint. - Useful for templated connection strings. A map of sensitive - data to pass to the endpoint. Useful for templated connection - strings. + description: |- + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. type: object + x-kubernetes-map-type: granular maxConnectionLifetime: - description: The maximum number of seconds to keep a connection - alive for. Maximum number of seconds a connection may - be reused. + description: |- + The maximum number of seconds to keep + a connection alive for. + Maximum number of seconds a connection may be reused. type: number maxIdleConnections: - description: The maximum number of idle connections to maintain. + description: |- + The maximum number of idle connections to + maintain. Maximum number of idle connections to the database. type: number maxOpenConnections: - description: The maximum number of open connections to use. + description: |- + The maximum number of open connections to + use. Maximum number of open connections to the database. type: number name: - description: for any configured database engine is changed + description: |- + for any configured database engine is changed Name of the database connection. type: string pluginName: - description: Specifies the name of the plugin to use. Specifies - the name of the plugin to use for this connection. Must - be prefixed with the name of one of the supported database - engine types. + description: |- + Specifies the name of the plugin to use. + Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. type: string rootRotationStatements: - description: A list of database statements to be executed - to rotate the root user's credentials. A list of database - statements to be executed to rotate the root user's credentials. + description: |- + A list of database statements to be executed to rotate the root user's credentials. + A list of database statements to be executed to rotate the root user's credentials. items: type: string type: array username: - description: The username to authenticate with. The root - credential username used in the connection URL + description: |- + The username to authenticate with. + The root credential username used in the connection URL type: string usernameTemplate: - description: Template describing how dynamic usernames are - generated. Username generation template. + description: |- + Template describing how dynamic usernames are generated. + Username generation template. type: string verifyConnection: - description: Whether the connection should be verified on - initial configuration or not. Specifies if the connection - is verified during initial configuration. + description: |- + Whether the connection should be verified on + initial configuration or not. + Specifies if the connection is verified during initial configuration. type: boolean type: object type: array @@ -5226,14 +6391,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -5243,8 +6417,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -5253,6 +6428,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/egp.vault.upbound.io_policies.yaml b/package/crds/egp.vault.upbound.io_policies.yaml index 3cb53c62..98398c0c 100644 --- a/package/crds/egp.vault.upbound.io_policies.yaml +++ b/package/crds/egp.vault.upbound.io_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.egp.vault.upbound.io spec: group: egp.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: governing policies for Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,87 +74,98 @@ spec: forProvider: properties: enforcementLevel: - description: 'Enforcement level of Sentinel policy. Can be either - advisory or soft-mandatory or hard-mandatory Enforcement level - of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory'' - or ''hard-mandatory''' + description: |- + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory + Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' type: string name: - description: The name of the policy Name of the policy + description: |- + The name of the policy + Name of the policy type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string paths: - description: List of paths to which the policy will be applied - to List of paths to which the policy will be applied + description: |- + List of paths to which the policy will be applied to + List of paths to which the policy will be applied items: type: string type: array policy: - description: String containing a Sentinel policy The policy document + description: |- + String containing a Sentinel policy + The policy document type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: enforcementLevel: - description: 'Enforcement level of Sentinel policy. Can be either - advisory or soft-mandatory or hard-mandatory Enforcement level - of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory'' - or ''hard-mandatory''' + description: |- + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory + Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' type: string name: - description: The name of the policy Name of the policy + description: |- + The name of the policy + Name of the policy type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string paths: - description: List of paths to which the policy will be applied - to List of paths to which the policy will be applied + description: |- + List of paths to which the policy will be applied to + List of paths to which the policy will be applied items: type: string type: array policy: - description: String containing a Sentinel policy The policy document + description: |- + String containing a Sentinel policy + The policy document type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -161,45 +178,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -209,21 +191,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -233,17 +215,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -253,21 +237,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -282,21 +266,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -307,14 +292,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -330,53 +316,58 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: enforcementLevel is a required parameter + - message: spec.forProvider.enforcementLevel is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.enforcementLevel) - || has(self.initProvider.enforcementLevel)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.enforcementLevel))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: paths is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.paths is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.paths) - || has(self.initProvider.paths)' - - message: policy is a required parameter + || (has(self.initProvider) && has(self.initProvider.paths))' + - message: spec.forProvider.policy is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.policy) - || has(self.initProvider.policy)' + || (has(self.initProvider) && has(self.initProvider.policy))' status: description: PolicyStatus defines the observed state of Policy. properties: atProvider: properties: enforcementLevel: - description: 'Enforcement level of Sentinel policy. Can be either - advisory or soft-mandatory or hard-mandatory Enforcement level - of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory'' - or ''hard-mandatory''' + description: |- + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory + Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' type: string id: type: string name: - description: The name of the policy Name of the policy + description: |- + The name of the policy + Name of the policy type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string paths: - description: List of paths to which the policy will be applied - to List of paths to which the policy will be applied + description: |- + List of paths to which the policy will be applied to + List of paths to which the policy will be applied items: type: string type: array policy: - description: String containing a Sentinel policy The policy document + description: |- + String containing a Sentinel policy + The policy document type: string type: object conditions: @@ -385,14 +376,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -402,8 +402,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -412,6 +413,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/gcp.vault.upbound.io_authbackendroles.yaml b/package/crds/gcp.vault.upbound.io_authbackendroles.yaml index e58ae7fb..15bce826 100644 --- a/package/crds/gcp.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/gcp.vault.upbound.io_authbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroles.gcp.vault.upbound.io spec: group: gcp.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: roles in an GCP auth backend in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -77,6 +83,80 @@ spec: backend: description: Path to the mounted GCP auth backend type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object boundInstanceGroups: description: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either @@ -84,6 +164,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set boundLabels: description: A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. @@ -92,12 +173,14 @@ spec: items: type: string type: array + x-kubernetes-list-type: set boundProjects: description: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role. items: type: string type: array + x-kubernetes-list-type: set boundRegions: description: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is @@ -107,12 +190,14 @@ spec: items: type: string type: array + x-kubernetes-list-type: set boundServiceAccounts: description: 'GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)' items: type: string type: array + x-kubernetes-list-type: set boundZones: description: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is @@ -121,6 +206,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set maxJwtExp: description: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if @@ -131,89 +217,100 @@ spec: claim to be customized. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: description: Name of the GCP role type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: description: Type of GCP authentication role (either gce or iam) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: addGroupAliases: type: boolean @@ -225,6 +322,80 @@ spec: backend: description: Path to the mounted GCP auth backend type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object boundInstanceGroups: description: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either @@ -232,6 +403,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set boundLabels: description: A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. @@ -240,12 +412,14 @@ spec: items: type: string type: array + x-kubernetes-list-type: set boundProjects: description: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role. items: type: string type: array + x-kubernetes-list-type: set boundRegions: description: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is @@ -255,12 +429,14 @@ spec: items: type: string type: array + x-kubernetes-list-type: set boundServiceAccounts: description: 'GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)' items: type: string type: array + x-kubernetes-list-type: set boundZones: description: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is @@ -269,6 +445,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set maxJwtExp: description: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if @@ -279,72 +456,83 @@ spec: claim to be customized. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: description: Name of the GCP role type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: description: Type of GCP authentication role (either gce or iam) @@ -353,20 +541,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -379,45 +568,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -427,21 +581,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -451,17 +605,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -471,21 +627,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -500,21 +656,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -525,14 +682,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -548,14 +706,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: role is a required parameter + - message: spec.forProvider.role is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.role) - || has(self.initProvider.role)' - - message: type is a required parameter + || (has(self.initProvider) && has(self.initProvider.role))' + - message: spec.forProvider.type is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.type) - || has(self.initProvider.type)' + || (has(self.initProvider) && has(self.initProvider.type))' status: description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. properties: @@ -578,6 +736,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set boundLabels: description: A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. @@ -586,12 +745,14 @@ spec: items: type: string type: array + x-kubernetes-list-type: set boundProjects: description: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role. items: type: string type: array + x-kubernetes-list-type: set boundRegions: description: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is @@ -601,12 +762,14 @@ spec: items: type: string type: array + x-kubernetes-list-type: set boundServiceAccounts: description: 'GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)' items: type: string type: array + x-kubernetes-list-type: set boundZones: description: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is @@ -615,6 +778,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set id: type: string maxJwtExp: @@ -627,72 +791,83 @@ spec: claim to be customized. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: description: Name of the GCP role type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: description: Type of GCP authentication role (either gce or iam) @@ -704,14 +879,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -721,8 +905,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -731,6 +916,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/gcp.vault.upbound.io_authbackends.yaml b/package/crds/gcp.vault.upbound.io_authbackends.yaml index 3b94a222..9ae6bab6 100644 --- a/package/crds/gcp.vault.upbound.io_authbackends.yaml +++ b/package/crds/gcp.vault.upbound.io_authbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackends.gcp.vault.upbound.io spec: group: gcp.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -37,14 +37,19 @@ spec: description: AuthBackend is the Schema for the AuthBackends API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,13 +58,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -116,6 +122,15 @@ spec: disableRemount: description: If set, opts out of mount migration on path updates. type: boolean + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated tokens. + type: number local: description: Specifies if the auth method is local only type: boolean @@ -128,6 +143,10 @@ spec: type: string projectId: type: string + serviceAccountEmail: + description: Service Account to impersonate for plugin workload + identity federation. + type: string tune: items: properties: @@ -159,22 +178,40 @@ spec: type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: clientEmail: type: string clientId: type: string + credentialsSecretRef: + description: A SecretKeySelector is a reference to a secret key + in an arbitrary namespace. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object customEndpoint: description: Specifies overrides to service endpoints used when making API requests to GCP. @@ -203,6 +240,15 @@ spec: disableRemount: description: If set, opts out of mount migration on path updates. type: boolean + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated tokens. + type: number local: description: Specifies if the auth method is local only type: boolean @@ -215,6 +261,10 @@ spec: type: string projectId: type: string + serviceAccountEmail: + description: Service Account to impersonate for plugin workload + identity federation. + type: string tune: items: properties: @@ -248,20 +298,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -274,9 +325,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -286,57 +338,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -346,17 +362,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -366,21 +384,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -395,21 +413,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -420,14 +439,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -484,6 +504,15 @@ spec: type: boolean id: type: string + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated tokens. + type: number local: description: Specifies if the auth method is local only type: boolean @@ -496,6 +525,10 @@ spec: type: string projectId: type: string + serviceAccountEmail: + description: Service Account to impersonate for plugin workload + identity federation. + type: string tune: items: properties: @@ -532,14 +565,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -549,8 +591,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -559,6 +602,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/gcp.vault.upbound.io_secretbackends.yaml b/package/crds/gcp.vault.upbound.io_secretbackends.yaml index 4719ae78..a28c1b5f 100644 --- a/package/crds/gcp.vault.upbound.io_secretbackends.yaml +++ b/package/crds/gcp.vault.upbound.io_secretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackends.gcp.vault.upbound.io spec: group: gcp.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: an GCP secret backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,7 +74,8 @@ spec: forProvider: properties: credentialsSecretRef: - description: The GCP service account credentials in JSON format. + description: |- + The GCP service account credentials in JSON format. JSON-encoded credentials to use to connect to GCP properties: key: @@ -86,107 +93,193 @@ spec: - namespace type: object defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. - Defaults to '0'. Default lease duration for secrets in seconds + description: |- + The default TTL for credentials + issued by this backend. Defaults to '0'. + Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean + identityTokenAudience: + description: |- + The audience claim value for plugin identity + tokens. Must match an allowed audience configured for the target Workload Identity Pool. + Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + The audience claim value for plugin identity tokens. + type: string + identityTokenKey: + description: |- + The key to use for signing plugin identity + tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: |- + The TTL of generated tokens. Defaults to + 1 hour. Uses duration format strings. + Requires Vault 1.17+. Available only for Vault Enterprise. + The TTL of generated tokens. + type: number local: - description: Boolean flag that can be explicitly set to true to - enforce local mount in HA environment Local mount flag that - can be explicitly set to true to enforce local mount in HA environment + description: |- + Boolean flag that can be explicitly set to true to enforce local mount in HA environment + Local mount flag that can be explicitly set to true to enforce local mount in HA environment type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Defaults to '0'. Maximum possible lease - duration for secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. Defaults to '0'. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to gcp. Path to mount - the backend at. + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to gcp. + Path to mount the backend at. + type: string + serviceAccountEmail: + description: |- + – Service Account to impersonate for plugin workload identity federation. + Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. + Service Account to impersonate for plugin workload identity federation. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + credentialsSecretRef: + description: |- + The GCP service account credentials in JSON format. + JSON-encoded credentials to use to connect to GCP + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. - Defaults to '0'. Default lease duration for secrets in seconds + description: |- + The default TTL for credentials + issued by this backend. Defaults to '0'. + Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean + identityTokenAudience: + description: |- + The audience claim value for plugin identity + tokens. Must match an allowed audience configured for the target Workload Identity Pool. + Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + The audience claim value for plugin identity tokens. + type: string + identityTokenKey: + description: |- + The key to use for signing plugin identity + tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: |- + The TTL of generated tokens. Defaults to + 1 hour. Uses duration format strings. + Requires Vault 1.17+. Available only for Vault Enterprise. + The TTL of generated tokens. + type: number local: - description: Boolean flag that can be explicitly set to true to - enforce local mount in HA environment Local mount flag that - can be explicitly set to true to enforce local mount in HA environment + description: |- + Boolean flag that can be explicitly set to true to enforce local mount in HA environment + Local mount flag that can be explicitly set to true to enforce local mount in HA environment type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Defaults to '0'. Maximum possible lease - duration for secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. Defaults to '0'. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to gcp. Path to mount - the backend at. + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to gcp. + Path to mount the backend at. + type: string + serviceAccountEmail: + description: |- + – Service Account to impersonate for plugin workload identity federation. + Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. + Service Account to impersonate for plugin workload identity federation. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -199,9 +292,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -211,57 +305,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -271,17 +329,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -291,21 +351,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -320,21 +380,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -345,14 +406,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -372,42 +434,80 @@ spec: properties: atProvider: properties: + accessor: + description: |- + The accessor of the created GCP mount. + Accessor of the created GCP mount. + type: string defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. - Defaults to '0'. Default lease duration for secrets in seconds + description: |- + The default TTL for credentials + issued by this backend. Defaults to '0'. + Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean id: type: string + identityTokenAudience: + description: |- + The audience claim value for plugin identity + tokens. Must match an allowed audience configured for the target Workload Identity Pool. + Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + The audience claim value for plugin identity tokens. + type: string + identityTokenKey: + description: |- + The key to use for signing plugin identity + tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: |- + The TTL of generated tokens. Defaults to + 1 hour. Uses duration format strings. + Requires Vault 1.17+. Available only for Vault Enterprise. + The TTL of generated tokens. + type: number local: - description: Boolean flag that can be explicitly set to true to - enforce local mount in HA environment Local mount flag that - can be explicitly set to true to enforce local mount in HA environment + description: |- + Boolean flag that can be explicitly set to true to enforce local mount in HA environment + Local mount flag that can be explicitly set to true to enforce local mount in HA environment type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Defaults to '0'. Maximum possible lease - duration for secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. Defaults to '0'. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to gcp. Path to mount - the backend at. + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to gcp. + Path to mount the backend at. + type: string + serviceAccountEmail: + description: |- + – Service Account to impersonate for plugin workload identity federation. + Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. + Service Account to impersonate for plugin workload identity federation. type: string type: object conditions: @@ -416,14 +516,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -433,8 +542,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -443,6 +553,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/gcp.vault.upbound.io_secretimpersonatedaccounts.yaml b/package/crds/gcp.vault.upbound.io_secretimpersonatedaccounts.yaml index b1f0f095..591ed23c 100644 --- a/package/crds/gcp.vault.upbound.io_secretimpersonatedaccounts.yaml +++ b/package/crds/gcp.vault.upbound.io_secretimpersonatedaccounts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretimpersonatedaccounts.gcp.vault.upbound.io spec: group: gcp.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Creates a Impersonated Account for the GCP Secret Backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,13 +60,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -69,83 +75,238 @@ spec: forProvider: properties: backend: - description: Path where the GCP Secrets Engine is mounted Path - where the GCP secrets engine is mounted. + description: |- + Path where the GCP Secrets Engine is mounted + Path where the GCP secrets engine is mounted. type: string + backendRef: + description: Reference to a SecretBackend in gcp to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in gcp to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object impersonatedAccount: - description: Name of the Impersonated Account to create Name of - the Impersonated Account to create + description: |- + Name of the Impersonated Account to create + Name of the Impersonated Account to create type: string namespace: description: Target namespace. (requires Enterprise) type: string serviceAccountEmail: - description: Email of the GCP service account to impersonate. + description: |- + Email of the GCP service account to impersonate. Email of the GCP service account. type: string tokenScopes: - description: List of OAuth scopes to assign to access tokens generated - under this impersonated account. List of OAuth scopes to assign - to `access_token` secrets generated under this impersonated - account (`access_token` impersonated accounts only) + description: |- + List of OAuth scopes to assign to access tokens generated under this impersonated account. + List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) items: type: string type: array + x-kubernetes-list-type: set type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: Path where the GCP Secrets Engine is mounted Path - where the GCP secrets engine is mounted. + description: |- + Path where the GCP Secrets Engine is mounted + Path where the GCP secrets engine is mounted. type: string + backendRef: + description: Reference to a SecretBackend in gcp to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in gcp to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object impersonatedAccount: - description: Name of the Impersonated Account to create Name of - the Impersonated Account to create + description: |- + Name of the Impersonated Account to create + Name of the Impersonated Account to create type: string namespace: description: Target namespace. (requires Enterprise) type: string serviceAccountEmail: - description: Email of the GCP service account to impersonate. + description: |- + Email of the GCP service account to impersonate. Email of the GCP service account. type: string tokenScopes: - description: List of OAuth scopes to assign to access tokens generated - under this impersonated account. List of OAuth scopes to assign - to `access_token` secrets generated under this impersonated - account (`access_token` impersonated accounts only) + description: |- + List of OAuth scopes to assign to access tokens generated under this impersonated account. + List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) items: type: string type: array + x-kubernetes-list-type: set type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -158,9 +319,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -170,57 +332,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -230,17 +356,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -250,21 +378,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -279,21 +407,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -304,14 +433,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -327,18 +457,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: impersonatedAccount is a required parameter + - message: spec.forProvider.impersonatedAccount is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.impersonatedAccount) - || has(self.initProvider.impersonatedAccount)' - - message: serviceAccountEmail is a required parameter + || (has(self.initProvider) && has(self.initProvider.impersonatedAccount))' + - message: spec.forProvider.serviceAccountEmail is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.serviceAccountEmail) - || has(self.initProvider.serviceAccountEmail)' + || (has(self.initProvider) && has(self.initProvider.serviceAccountEmail))' status: description: SecretImpersonatedAccountStatus defines the observed state of SecretImpersonatedAccount. @@ -346,34 +472,38 @@ spec: atProvider: properties: backend: - description: Path where the GCP Secrets Engine is mounted Path - where the GCP secrets engine is mounted. + description: |- + Path where the GCP Secrets Engine is mounted + Path where the GCP secrets engine is mounted. type: string id: type: string impersonatedAccount: - description: Name of the Impersonated Account to create Name of - the Impersonated Account to create + description: |- + Name of the Impersonated Account to create + Name of the Impersonated Account to create type: string namespace: description: Target namespace. (requires Enterprise) type: string serviceAccountEmail: - description: Email of the GCP service account to impersonate. + description: |- + Email of the GCP service account to impersonate. Email of the GCP service account. type: string serviceAccountProject: - description: Project the service account belongs to. Project of - the GCP Service Account managed by this impersonated account + description: |- + Project the service account belongs to. + Project of the GCP Service Account managed by this impersonated account type: string tokenScopes: - description: List of OAuth scopes to assign to access tokens generated - under this impersonated account. List of OAuth scopes to assign - to `access_token` secrets generated under this impersonated - account (`access_token` impersonated accounts only) + description: |- + List of OAuth scopes to assign to access tokens generated under this impersonated account. + List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) items: type: string type: array + x-kubernetes-list-type: set type: object conditions: description: Conditions of the resource. @@ -381,14 +511,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -398,8 +537,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -408,6 +548,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/gcp.vault.upbound.io_secretrolesets.yaml b/package/crds/gcp.vault.upbound.io_secretrolesets.yaml index 24ed4f5b..eb236783 100644 --- a/package/crds/gcp.vault.upbound.io_secretrolesets.yaml +++ b/package/crds/gcp.vault.upbound.io_secretrolesets.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretrolesets.gcp.vault.upbound.io spec: group: gcp.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: a Roleset for the GCP Secret Backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,9 +74,84 @@ spec: forProvider: properties: backend: - description: Path where the GCP Secrets Engine is mounted Path - where the GCP secrets engine is mounted. + description: |- + Path where the GCP Secrets Engine is mounted + Path where the GCP secrets engine is mounted. type: string + backendRef: + description: Reference to a SecretBackend in gcp to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in gcp to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object binding: description: Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is @@ -78,66 +159,144 @@ spec: items: properties: resource: - description: Resource or resource path for which IAM policy - information will be bound. The resource path may be specified - in a few different formats. Resource name + description: |- + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. + Resource name type: string roles: - description: List of GCP IAM roles for the resource. List - of roles to apply to the resource + description: |- + List of GCP IAM roles for the resource. + List of roles to apply to the resource items: type: string type: array + x-kubernetes-list-type: set type: object type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string project: - description: Name of the GCP project that this roleset's service - account will belong to. Name of the GCP project that this roleset's - service account will belong to. + description: |- + Name of the GCP project that this roleset's service account will belong to. + Name of the GCP project that this roleset's service account will belong to. type: string roleset: - description: Name of the Roleset to create Name of the RoleSet - to create + description: |- + Name of the Roleset to create + Name of the RoleSet to create type: string secretType: - description: 'Type of secret generated for this role set. Accepted - values: access_token, service_account_key. Defaults to access_token. - Type of secret generated for this role set. Defaults to `access_token`. - Accepted values: `access_token`, `service_account_key`' + description: |- + Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token. + Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` type: string tokenScopes: - description: List of OAuth scopes to assign to access_token secrets - generated under this role set (access_token role sets only). - List of OAuth scopes to assign to `access_token` secrets generated - under this role set (`access_token` role sets only) + description: |- + List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only). + List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) items: type: string type: array + x-kubernetes-list-type: set type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: Path where the GCP Secrets Engine is mounted Path - where the GCP secrets engine is mounted. + description: |- + Path where the GCP Secrets Engine is mounted + Path where the GCP secrets engine is mounted. type: string + backendRef: + description: Reference to a SecretBackend in gcp to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in gcp to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object binding: description: Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is @@ -145,66 +304,70 @@ spec: items: properties: resource: - description: Resource or resource path for which IAM policy - information will be bound. The resource path may be specified - in a few different formats. Resource name + description: |- + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. + Resource name type: string roles: - description: List of GCP IAM roles for the resource. List - of roles to apply to the resource + description: |- + List of GCP IAM roles for the resource. + List of roles to apply to the resource items: type: string type: array + x-kubernetes-list-type: set type: object type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string project: - description: Name of the GCP project that this roleset's service - account will belong to. Name of the GCP project that this roleset's - service account will belong to. + description: |- + Name of the GCP project that this roleset's service account will belong to. + Name of the GCP project that this roleset's service account will belong to. type: string roleset: - description: Name of the Roleset to create Name of the RoleSet - to create + description: |- + Name of the Roleset to create + Name of the RoleSet to create type: string secretType: - description: 'Type of secret generated for this role set. Accepted - values: access_token, service_account_key. Defaults to access_token. - Type of secret generated for this role set. Defaults to `access_token`. - Accepted values: `access_token`, `service_account_key`' + description: |- + Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token. + Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` type: string tokenScopes: - description: List of OAuth scopes to assign to access_token secrets - generated under this role set (access_token role sets only). - List of OAuth scopes to assign to `access_token` secrets generated - under this role set (`access_token` role sets only) + description: |- + List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only). + List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) items: type: string type: array + x-kubernetes-list-type: set type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -217,9 +380,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -229,57 +393,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -289,17 +417,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -309,21 +439,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -338,21 +468,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -363,14 +494,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -386,30 +518,27 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: binding is a required parameter + - message: spec.forProvider.binding is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.binding) - || has(self.initProvider.binding)' - - message: project is a required parameter + || (has(self.initProvider) && has(self.initProvider.binding))' + - message: spec.forProvider.project is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.project) - || has(self.initProvider.project)' - - message: roleset is a required parameter + || (has(self.initProvider) && has(self.initProvider.project))' + - message: spec.forProvider.roleset is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.roleset) - || has(self.initProvider.roleset)' + || (has(self.initProvider) && has(self.initProvider.roleset))' status: description: SecretRolesetStatus defines the observed state of SecretRoleset. properties: atProvider: properties: backend: - description: Path where the GCP Secrets Engine is mounted Path - where the GCP secrets engine is mounted. + description: |- + Path where the GCP Secrets Engine is mounted + Path where the GCP secrets engine is mounted. type: string binding: description: Bindings to create for this roleset. This can be @@ -418,55 +547,58 @@ spec: items: properties: resource: - description: Resource or resource path for which IAM policy - information will be bound. The resource path may be specified - in a few different formats. Resource name + description: |- + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. + Resource name type: string roles: - description: List of GCP IAM roles for the resource. List - of roles to apply to the resource + description: |- + List of GCP IAM roles for the resource. + List of roles to apply to the resource items: type: string type: array + x-kubernetes-list-type: set type: object type: array id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string project: - description: Name of the GCP project that this roleset's service - account will belong to. Name of the GCP project that this roleset's - service account will belong to. + description: |- + Name of the GCP project that this roleset's service account will belong to. + Name of the GCP project that this roleset's service account will belong to. type: string roleset: - description: Name of the Roleset to create Name of the RoleSet - to create + description: |- + Name of the Roleset to create + Name of the RoleSet to create type: string secretType: - description: 'Type of secret generated for this role set. Accepted - values: access_token, service_account_key. Defaults to access_token. - Type of secret generated for this role set. Defaults to `access_token`. - Accepted values: `access_token`, `service_account_key`' + description: |- + Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token. + Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` type: string serviceAccountEmail: - description: Email of the service account created by Vault for - this Roleset. Email of the service account created by Vault - for this Roleset + description: |- + Email of the service account created by Vault for this Roleset. + Email of the service account created by Vault for this Roleset type: string tokenScopes: - description: List of OAuth scopes to assign to access_token secrets - generated under this role set (access_token role sets only). - List of OAuth scopes to assign to `access_token` secrets generated - under this role set (`access_token` role sets only) + description: |- + List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only). + List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) items: type: string type: array + x-kubernetes-list-type: set type: object conditions: description: Conditions of the resource. @@ -474,14 +606,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -491,8 +632,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -501,6 +643,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/gcp.vault.upbound.io_secretstaticaccounts.yaml b/package/crds/gcp.vault.upbound.io_secretstaticaccounts.yaml index 7f3f5923..a3a1db9d 100644 --- a/package/crds/gcp.vault.upbound.io_secretstaticaccounts.yaml +++ b/package/crds/gcp.vault.upbound.io_secretstaticaccounts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstaticaccounts.gcp.vault.upbound.io spec: group: gcp.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Creates a Static Account for the GCP Secret Backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,9 +74,84 @@ spec: forProvider: properties: backend: - description: Path where the GCP Secrets Engine is mounted Path - where the GCP secrets engine is mounted. + description: |- + Path where the GCP Secrets Engine is mounted + Path where the GCP secrets engine is mounted. type: string + backendRef: + description: Reference to a SecretBackend in gcp to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in gcp to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object binding: description: Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure @@ -78,67 +159,144 @@ spec: items: properties: resource: - description: Resource or resource path for which IAM policy - information will be bound. The resource path may be specified - in a few different formats. Resource name + description: |- + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. + Resource name type: string roles: - description: List of GCP IAM roles for the resource. List - of roles to apply to the resource + description: |- + List of GCP IAM roles for the resource. + List of roles to apply to the resource items: type: string type: array + x-kubernetes-list-type: set type: object type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string secretType: - description: 'Type of secret generated for this static account. - Accepted values: access_token, service_account_key. Defaults - to access_token. Type of secret generated for this static account. - Defaults to `access_token`. Accepted values: `access_token`, - `service_account_key`' + description: |- + Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token. + Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` type: string serviceAccountEmail: - description: Email of the GCP service account to manage. Email - of the GCP service account. + description: |- + Email of the GCP service account to manage. + Email of the GCP service account. type: string staticAccount: - description: Name of the Static Account to create Name of the - Static Account to create + description: |- + Name of the Static Account to create + Name of the Static Account to create type: string tokenScopes: - description: List of OAuth scopes to assign to access_token secrets - generated under this static account (access_token static accounts - only). List of OAuth scopes to assign to `access_token` secrets - generated under this static account (`access_token` static accounts - only) + description: |- + List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only). + List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) items: type: string type: array + x-kubernetes-list-type: set type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: Path where the GCP Secrets Engine is mounted Path - where the GCP secrets engine is mounted. + description: |- + Path where the GCP Secrets Engine is mounted + Path where the GCP secrets engine is mounted. type: string + backendRef: + description: Reference to a SecretBackend in gcp to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in gcp to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object binding: description: Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure @@ -146,67 +304,70 @@ spec: items: properties: resource: - description: Resource or resource path for which IAM policy - information will be bound. The resource path may be specified - in a few different formats. Resource name + description: |- + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. + Resource name type: string roles: - description: List of GCP IAM roles for the resource. List - of roles to apply to the resource + description: |- + List of GCP IAM roles for the resource. + List of roles to apply to the resource items: type: string type: array + x-kubernetes-list-type: set type: object type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string secretType: - description: 'Type of secret generated for this static account. - Accepted values: access_token, service_account_key. Defaults - to access_token. Type of secret generated for this static account. - Defaults to `access_token`. Accepted values: `access_token`, - `service_account_key`' + description: |- + Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token. + Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` type: string serviceAccountEmail: - description: Email of the GCP service account to manage. Email - of the GCP service account. + description: |- + Email of the GCP service account to manage. + Email of the GCP service account. type: string staticAccount: - description: Name of the Static Account to create Name of the - Static Account to create + description: |- + Name of the Static Account to create + Name of the Static Account to create type: string tokenScopes: - description: List of OAuth scopes to assign to access_token secrets - generated under this static account (access_token static accounts - only). List of OAuth scopes to assign to `access_token` secrets - generated under this static account (`access_token` static accounts - only) + description: |- + List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only). + List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) items: type: string type: array + x-kubernetes-list-type: set type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -219,9 +380,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -231,57 +393,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -291,17 +417,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -311,21 +439,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -340,21 +468,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -365,14 +494,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -388,26 +518,23 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: serviceAccountEmail is a required parameter + - message: spec.forProvider.serviceAccountEmail is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.serviceAccountEmail) - || has(self.initProvider.serviceAccountEmail)' - - message: staticAccount is a required parameter + || (has(self.initProvider) && has(self.initProvider.serviceAccountEmail))' + - message: spec.forProvider.staticAccount is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.staticAccount) - || has(self.initProvider.staticAccount)' + || (has(self.initProvider) && has(self.initProvider.staticAccount))' status: description: SecretStaticAccountStatus defines the observed state of SecretStaticAccount. properties: atProvider: properties: backend: - description: Path where the GCP Secrets Engine is mounted Path - where the GCP secrets engine is mounted. + description: |- + Path where the GCP Secrets Engine is mounted + Path where the GCP secrets engine is mounted. type: string binding: description: Bindings to create for this static account. This @@ -416,55 +543,58 @@ spec: items: properties: resource: - description: Resource or resource path for which IAM policy - information will be bound. The resource path may be specified - in a few different formats. Resource name + description: |- + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. + Resource name type: string roles: - description: List of GCP IAM roles for the resource. List - of roles to apply to the resource + description: |- + List of GCP IAM roles for the resource. + List of roles to apply to the resource items: type: string type: array + x-kubernetes-list-type: set type: object type: array id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string secretType: - description: 'Type of secret generated for this static account. - Accepted values: access_token, service_account_key. Defaults - to access_token. Type of secret generated for this static account. - Defaults to `access_token`. Accepted values: `access_token`, - `service_account_key`' + description: |- + Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token. + Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` type: string serviceAccountEmail: - description: Email of the GCP service account to manage. Email - of the GCP service account. + description: |- + Email of the GCP service account to manage. + Email of the GCP service account. type: string serviceAccountProject: - description: Project the service account belongs to. Project of - the GCP Service Account managed by this static account + description: |- + Project the service account belongs to. + Project of the GCP Service Account managed by this static account type: string staticAccount: - description: Name of the Static Account to create Name of the - Static Account to create + description: |- + Name of the Static Account to create + Name of the Static Account to create type: string tokenScopes: - description: List of OAuth scopes to assign to access_token secrets - generated under this static account (access_token static accounts - only). List of OAuth scopes to assign to `access_token` secrets - generated under this static account (`access_token` static accounts - only) + description: |- + List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only). + List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) items: type: string type: array + x-kubernetes-list-type: set type: object conditions: description: Conditions of the resource. @@ -472,14 +602,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -489,8 +628,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -499,6 +639,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/generic.vault.upbound.io_endpoints.yaml b/package/crds/generic.vault.upbound.io_endpoints.yaml index dc52fd3d..a2d83a54 100644 --- a/package/crds/generic.vault.upbound.io_endpoints.yaml +++ b/package/crds/generic.vault.upbound.io_endpoints.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: endpoints.generic.vault.upbound.io spec: group: generic.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: data to a given path in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,9 +74,10 @@ spec: forProvider: properties: dataJsonSecretRef: - description: String containing a JSON-encoded object that will - be written to the given path as the secret data. JSON-encoded - data to write. + description: |- + String containing a JSON-encoded object that will be + written to the given path as the secret data. + JSON-encoded data to write. properties: key: description: The key to select. @@ -87,137 +94,172 @@ spec: - namespace type: object disableDelete: - description: True/false. Set this to true if your vault authentication - is not able to delete the data or if the endpoint does not support - the DELETE method. Defaults to false. Don't attempt to delete - the path from Vault if true + description: |- + True/false. Set this to true if your + vault authentication is not able to delete the data or if the endpoint + does not support the DELETE method. Defaults to false. + Don't attempt to delete the path from Vault if true type: boolean disableRead: - description: True/false. Set this to true if your vault authentication - is not able to read the data or if the endpoint does not support - the GET method. Setting this to true will break drift detection. - You should set this to true for endpoints that are write-only. - Defaults to false. Don't attempt to read the path from Vault - if true; drift won't be detected + description: |- + True/false. Set this to true if your vault + authentication is not able to read the data or if the endpoint does + not support the GET method. Setting this to true will break drift + detection. You should set this to true for endpoints that are + write-only. Defaults to false. + Don't attempt to read the path from Vault if true; drift won't be detected type: boolean ignoreAbsentFields: - description: True/false. If set to true, ignore any fields present - when the endpoint is read but that were not in data_json. Also, - if a field that was written is not returned when the endpoint - is read, treat that field as being up to date. You should set - this to true when writing to endpoint that, when read, returns - a different set of fields from the ones you wrote, as is common - with many configuration endpoints. Defaults to false. When reading, - disregard fields not present in data_json + description: |- + True/false. If set to true, + ignore any fields present when the endpoint is read but that were not + in data_json. Also, if a field that was written is not returned when + the endpoint is read, treat that field as being up to date. You should + set this to true when writing to endpoint that, when read, returns a + different set of fields from the ones you wrote, as is common with + many configuration endpoints. Defaults to false. + When reading, disregard fields not present in data_json type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The full logical path at which to write the given + description: |- + The full logical path at which to write the given data. Consult each backend's documentation to see which endpoints support the PUT methods and to determine whether they also support - DELETE and GET. Full path where to the endpoint that will be - written + DELETE and GET. + Full path where to the endpoint that will be written type: string writeFields: - description: . A list of fields that should be returned in write_data_json - and write_data. If omitted, data returned by the write operation - is not available to the resource or included in state. This - helps to avoid accidental storage of sensitive values in state. - Some endpoints, such as many dynamic secrets endpoints, return - data from writing to an endpoint rather than reading it. You - should use write_fields if you need information returned in - this way. Top-level fields returned by write to persist in state + description: |- + . A list of fields that should be returned + in write_data_json and write_data. If omitted, data returned by + the write operation is not available to the resource or included in + state. This helps to avoid accidental storage of sensitive values in + state. Some endpoints, such as many dynamic secrets endpoints, return + data from writing to an endpoint rather than reading it. You should + use write_fields if you need information returned in this way. + Top-level fields returned by write to persist in state items: type: string type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + dataJsonSecretRef: + description: |- + String containing a JSON-encoded object that will be + written to the given path as the secret data. + JSON-encoded data to write. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object disableDelete: - description: True/false. Set this to true if your vault authentication - is not able to delete the data or if the endpoint does not support - the DELETE method. Defaults to false. Don't attempt to delete - the path from Vault if true + description: |- + True/false. Set this to true if your + vault authentication is not able to delete the data or if the endpoint + does not support the DELETE method. Defaults to false. + Don't attempt to delete the path from Vault if true type: boolean disableRead: - description: True/false. Set this to true if your vault authentication - is not able to read the data or if the endpoint does not support - the GET method. Setting this to true will break drift detection. - You should set this to true for endpoints that are write-only. - Defaults to false. Don't attempt to read the path from Vault - if true; drift won't be detected + description: |- + True/false. Set this to true if your vault + authentication is not able to read the data or if the endpoint does + not support the GET method. Setting this to true will break drift + detection. You should set this to true for endpoints that are + write-only. Defaults to false. + Don't attempt to read the path from Vault if true; drift won't be detected type: boolean ignoreAbsentFields: - description: True/false. If set to true, ignore any fields present - when the endpoint is read but that were not in data_json. Also, - if a field that was written is not returned when the endpoint - is read, treat that field as being up to date. You should set - this to true when writing to endpoint that, when read, returns - a different set of fields from the ones you wrote, as is common - with many configuration endpoints. Defaults to false. When reading, - disregard fields not present in data_json + description: |- + True/false. If set to true, + ignore any fields present when the endpoint is read but that were not + in data_json. Also, if a field that was written is not returned when + the endpoint is read, treat that field as being up to date. You should + set this to true when writing to endpoint that, when read, returns a + different set of fields from the ones you wrote, as is common with + many configuration endpoints. Defaults to false. + When reading, disregard fields not present in data_json type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The full logical path at which to write the given + description: |- + The full logical path at which to write the given data. Consult each backend's documentation to see which endpoints support the PUT methods and to determine whether they also support - DELETE and GET. Full path where to the endpoint that will be - written + DELETE and GET. + Full path where to the endpoint that will be written type: string writeFields: - description: . A list of fields that should be returned in write_data_json - and write_data. If omitted, data returned by the write operation - is not available to the resource or included in state. This - helps to avoid accidental storage of sensitive values in state. - Some endpoints, such as many dynamic secrets endpoints, return - data from writing to an endpoint rather than reading it. You - should use write_fields if you need information returned in - this way. Top-level fields returned by write to persist in state + description: |- + . A list of fields that should be returned + in write_data_json and write_data. If omitted, data returned by + the write operation is not available to the resource or included in + state. This helps to avoid accidental storage of sensitive values in + state. Some endpoints, such as many dynamic secrets endpoints, return + data from writing to an endpoint rather than reading it. You should + use write_fields if you need information returned in this way. + Top-level fields returned by write to persist in state items: type: string type: array + required: + - dataJsonSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -230,45 +272,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -278,21 +285,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -302,17 +309,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -322,21 +331,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -351,21 +360,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -376,14 +386,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -399,82 +410,91 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: dataJsonSecretRef is a required parameter + - message: spec.forProvider.dataJsonSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)' - - message: path is a required parameter + - message: spec.forProvider.path is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.path))' status: description: EndpointStatus defines the observed state of Endpoint. properties: atProvider: properties: disableDelete: - description: True/false. Set this to true if your vault authentication - is not able to delete the data or if the endpoint does not support - the DELETE method. Defaults to false. Don't attempt to delete - the path from Vault if true + description: |- + True/false. Set this to true if your + vault authentication is not able to delete the data or if the endpoint + does not support the DELETE method. Defaults to false. + Don't attempt to delete the path from Vault if true type: boolean disableRead: - description: True/false. Set this to true if your vault authentication - is not able to read the data or if the endpoint does not support - the GET method. Setting this to true will break drift detection. - You should set this to true for endpoints that are write-only. - Defaults to false. Don't attempt to read the path from Vault - if true; drift won't be detected + description: |- + True/false. Set this to true if your vault + authentication is not able to read the data or if the endpoint does + not support the GET method. Setting this to true will break drift + detection. You should set this to true for endpoints that are + write-only. Defaults to false. + Don't attempt to read the path from Vault if true; drift won't be detected type: boolean id: type: string ignoreAbsentFields: - description: True/false. If set to true, ignore any fields present - when the endpoint is read but that were not in data_json. Also, - if a field that was written is not returned when the endpoint - is read, treat that field as being up to date. You should set - this to true when writing to endpoint that, when read, returns - a different set of fields from the ones you wrote, as is common - with many configuration endpoints. Defaults to false. When reading, - disregard fields not present in data_json + description: |- + True/false. If set to true, + ignore any fields present when the endpoint is read but that were not + in data_json. Also, if a field that was written is not returned when + the endpoint is read, treat that field as being up to date. You should + set this to true when writing to endpoint that, when read, returns a + different set of fields from the ones you wrote, as is common with + many configuration endpoints. Defaults to false. + When reading, disregard fields not present in data_json type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The full logical path at which to write the given + description: |- + The full logical path at which to write the given data. Consult each backend's documentation to see which endpoints support the PUT methods and to determine whether they also support - DELETE and GET. Full path where to the endpoint that will be - written + DELETE and GET. + Full path where to the endpoint that will be written type: string writeData: additionalProperties: type: string - description: A map whose keys are the top-level data keys returned - from Vault by the write operation and whose values are the corresponding - values. This map can only represent string data, so any non-string - values returned from Vault are serialized as JSON. Only fields - set in write_fields are present in the JSON data. Map of strings - returned by write operation + description: |- + A map whose keys are the top-level data keys + returned from Vault by the write operation and whose values are the + corresponding values. This map can only represent string data, so + any non-string values returned from Vault are serialized as JSON. + Only fields set in write_fields are present in the JSON data. + Map of strings returned by write operation type: object + x-kubernetes-map-type: granular writeDataJson: - description: The JSON data returned by the write operation. Only - fields set in write_fields are present in the JSON data. JSON - data returned by write operation + description: |- + The JSON data returned by the write operation. + Only fields set in write_fields are present in the JSON data. + JSON data returned by write operation type: string writeFields: - description: . A list of fields that should be returned in write_data_json - and write_data. If omitted, data returned by the write operation - is not available to the resource or included in state. This - helps to avoid accidental storage of sensitive values in state. - Some endpoints, such as many dynamic secrets endpoints, return - data from writing to an endpoint rather than reading it. You - should use write_fields if you need information returned in - this way. Top-level fields returned by write to persist in state + description: |- + . A list of fields that should be returned + in write_data_json and write_data. If omitted, data returned by + the write operation is not available to the resource or included in + state. This helps to avoid accidental storage of sensitive values in + state. Some endpoints, such as many dynamic secrets endpoints, return + data from writing to an endpoint rather than reading it. You should + use write_fields if you need information returned in this way. + Top-level fields returned by write to persist in state items: type: string type: array @@ -485,14 +505,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -502,8 +531,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -512,6 +542,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/generic.vault.upbound.io_secrets.yaml b/package/crds/generic.vault.upbound.io_secrets.yaml index facc6f46..70263fa0 100644 --- a/package/crds/generic.vault.upbound.io_secrets.yaml +++ b/package/crds/generic.vault.upbound.io_secrets.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secrets.generic.vault.upbound.io spec: group: generic.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: to a given path in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,9 +74,10 @@ spec: forProvider: properties: dataJsonSecretRef: - description: String containing a JSON-encoded object that will - be written as the secret data at the given path. JSON-encoded - secret data to write. + description: |- + String containing a JSON-encoded object that will be + written as the secret data at the given path. + JSON-encoded secret data to write. properties: key: description: The key to select. @@ -87,95 +94,124 @@ spec: - namespace type: object deleteAllVersions: - description: true/false. Only applicable for kv-v2 stores. If - set to true, permanently deletes all versions for the specified - key. The default behavior is to only delete the latest version - of the secret. Only applicable for kv-v2 stores. If set, permanently - deletes all versions for the specified key. + description: |- + true/false. Only applicable for kv-v2 stores. + If set to true, permanently deletes all versions for + the specified key. The default behavior is to only delete the latest version of the + secret. + Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key. type: boolean disableRead: - description: true/false. Set this to true if your vault authentication - is not able to read the data. Setting this to true will break - drift detection. Defaults to false. Don't attempt to read the - token from Vault if true; drift won't be detected. + description: |- + true/false. Set this to true if your vault + authentication is not able to read the data. Setting this to true will + break drift detection. Defaults to false. + Don't attempt to read the token from Vault if true; drift won't be detected. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The full logical path at which to write the given - data. To write data into the "generic" secret backend mounted - in Vault by default, this should be prefixed with secret/. Writing - to other backends with this resource is possible; consult each - backend's documentation to see which endpoints support the PUT - and DELETE methods. Full path where the generic secret will - be written. + description: |- + The full logical path at which to write the given data. + To write data into the "generic" secret backend mounted in Vault by default, + this should be prefixed with secret/. Writing to other backends with this + resource is possible; consult each backend's documentation to see which + endpoints support the PUT and DELETE methods. + Full path where the generic secret will be written. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + dataJsonSecretRef: + description: |- + String containing a JSON-encoded object that will be + written as the secret data at the given path. + JSON-encoded secret data to write. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object deleteAllVersions: - description: true/false. Only applicable for kv-v2 stores. If - set to true, permanently deletes all versions for the specified - key. The default behavior is to only delete the latest version - of the secret. Only applicable for kv-v2 stores. If set, permanently - deletes all versions for the specified key. + description: |- + true/false. Only applicable for kv-v2 stores. + If set to true, permanently deletes all versions for + the specified key. The default behavior is to only delete the latest version of the + secret. + Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key. type: boolean disableRead: - description: true/false. Set this to true if your vault authentication - is not able to read the data. Setting this to true will break - drift detection. Defaults to false. Don't attempt to read the - token from Vault if true; drift won't be detected. + description: |- + true/false. Set this to true if your vault + authentication is not able to read the data. Setting this to true will + break drift detection. Defaults to false. + Don't attempt to read the token from Vault if true; drift won't be detected. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The full logical path at which to write the given - data. To write data into the "generic" secret backend mounted - in Vault by default, this should be prefixed with secret/. Writing - to other backends with this resource is possible; consult each - backend's documentation to see which endpoints support the PUT - and DELETE methods. Full path where the generic secret will - be written. + description: |- + The full logical path at which to write the given data. + To write data into the "generic" secret backend mounted in Vault by default, + this should be prefixed with secret/. Writing to other backends with this + resource is possible; consult each backend's documentation to see which + endpoints support the PUT and DELETE methods. + Full path where the generic secret will be written. type: string + required: + - dataJsonSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -188,45 +224,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -236,21 +237,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -260,17 +261,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -280,21 +283,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -309,21 +312,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -334,14 +338,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -357,48 +362,51 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: dataJsonSecretRef is a required parameter + - message: spec.forProvider.dataJsonSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)' - - message: path is a required parameter + - message: spec.forProvider.path is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.path))' status: description: SecretStatus defines the observed state of Secret. properties: atProvider: properties: deleteAllVersions: - description: true/false. Only applicable for kv-v2 stores. If - set to true, permanently deletes all versions for the specified - key. The default behavior is to only delete the latest version - of the secret. Only applicable for kv-v2 stores. If set, permanently - deletes all versions for the specified key. + description: |- + true/false. Only applicable for kv-v2 stores. + If set to true, permanently deletes all versions for + the specified key. The default behavior is to only delete the latest version of the + secret. + Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key. type: boolean disableRead: - description: true/false. Set this to true if your vault authentication - is not able to read the data. Setting this to true will break - drift detection. Defaults to false. Don't attempt to read the - token from Vault if true; drift won't be detected. + description: |- + true/false. Set this to true if your vault + authentication is not able to read the data. Setting this to true will + break drift detection. Defaults to false. + Don't attempt to read the token from Vault if true; drift won't be detected. type: boolean id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The full logical path at which to write the given - data. To write data into the "generic" secret backend mounted - in Vault by default, this should be prefixed with secret/. Writing - to other backends with this resource is possible; consult each - backend's documentation to see which endpoints support the PUT - and DELETE methods. Full path where the generic secret will - be written. + description: |- + The full logical path at which to write the given data. + To write data into the "generic" secret backend mounted in Vault by default, + this should be prefixed with secret/. Writing to other backends with this + resource is possible; consult each backend's documentation to see which + endpoints support the PUT and DELETE methods. + Full path where the generic secret will be written. type: string type: object conditions: @@ -407,14 +415,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -424,8 +441,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -434,6 +452,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/github.vault.upbound.io_authbackends.yaml b/package/crds/github.vault.upbound.io_authbackends.yaml index 40a856b0..6f31fd47 100644 --- a/package/crds/github.vault.upbound.io_authbackends.yaml +++ b/package/crds/github.vault.upbound.io_authbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackends.github.vault.upbound.io spec: group: github.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Auth mounts in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,101 +74,115 @@ spec: forProvider: properties: baseUrl: - description: The API endpoint to use. Useful if you are running - GitHub Enterprise or an API-compatible authentication server. - The API endpoint to use. Useful if you are running GitHub Enterprise - or an API-compatible authentication server. + description: |- + The API endpoint to use. Useful if you + are running GitHub Enterprise or an API-compatible authentication server. + The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server. type: string description: - description: Specifies the description of the mount. This overrides - the current stored value, if any. Specifies the description - of the mount. This overrides the current stored value, if any. + description: |- + Specifies the description of the mount. + This overrides the current stored value, if any. + Specifies the description of the mount. This overrides the current stored value, if any. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: The organization configured users must be part of. + description: |- + The organization configured users must be part of. The organization users must be part of. type: string organizationId: - description: The ID of the organization users must be part of. - Vault will attempt to fetch and set this value if it is not - provided. (Vault 1.10+) The ID of the organization users must - be part of. Vault will attempt to fetch and set this value if - it is not provided (vault-1.10+) + description: |- + The ID of the organization users must be part of. + Vault will attempt to fetch and set this value if it is not provided. (Vault 1.10+) + The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+) type: number path: - description: Path where the auth backend is mounted. Defaults - to auth/github if not specified. Path where the auth backend - is mounted + description: |- + Path where the auth backend is mounted. Defaults to auth/github + if not specified. + Path where the auth backend is mounted type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string tune: description: Extra configuration block. Structure is documented @@ -170,161 +190,181 @@ spec: items: properties: allowedResponseHeaders: - description: List of headers to whitelist and allowing a - plugin to include them in the response. + description: |- + List of headers to whitelist and allowing + a plugin to include them in the response. items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the request data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the response data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the response data object. items: type: string type: array defaultLeaseTtl: - description: Specifies the default time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the default time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string listingVisibility: - description: Specifies whether to show this mount in the - UI-specific listing endpoint. Valid values are "unauth" - or "hidden". + description: |- + Specifies whether to show this mount in + the UI-specific listing endpoint. Valid values are "unauth" or "hidden". type: string maxLeaseTtl: - description: Specifies the maximum time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the maximum time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string passthroughRequestHeaders: - description: List of headers to whitelist and pass from - the request to the backend. + description: |- + List of headers to whitelist and + pass from the request to the backend. items: type: string type: array tokenType: - description: Specifies the type of tokens that should be - returned by the mount. Valid values are "default-service", - "default-batch", "service", "batch". + description: |- + Specifies the type of tokens that should be returned by + the mount. Valid values are "default-service", "default-batch", "service", "batch". type: string type: object type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: baseUrl: - description: The API endpoint to use. Useful if you are running - GitHub Enterprise or an API-compatible authentication server. - The API endpoint to use. Useful if you are running GitHub Enterprise - or an API-compatible authentication server. + description: |- + The API endpoint to use. Useful if you + are running GitHub Enterprise or an API-compatible authentication server. + The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server. type: string description: - description: Specifies the description of the mount. This overrides - the current stored value, if any. Specifies the description - of the mount. This overrides the current stored value, if any. + description: |- + Specifies the description of the mount. + This overrides the current stored value, if any. + Specifies the description of the mount. This overrides the current stored value, if any. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: The organization configured users must be part of. + description: |- + The organization configured users must be part of. The organization users must be part of. type: string organizationId: - description: The ID of the organization users must be part of. - Vault will attempt to fetch and set this value if it is not - provided. (Vault 1.10+) The ID of the organization users must - be part of. Vault will attempt to fetch and set this value if - it is not provided (vault-1.10+) + description: |- + The ID of the organization users must be part of. + Vault will attempt to fetch and set this value if it is not provided. (Vault 1.10+) + The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+) type: number path: - description: Path where the auth backend is mounted. Defaults - to auth/github if not specified. Path where the auth backend - is mounted + description: |- + Path where the auth backend is mounted. Defaults to auth/github + if not specified. + Path where the auth backend is mounted type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string tune: description: Extra configuration block. Structure is documented @@ -332,48 +372,54 @@ spec: items: properties: allowedResponseHeaders: - description: List of headers to whitelist and allowing a - plugin to include them in the response. + description: |- + List of headers to whitelist and allowing + a plugin to include them in the response. items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the request data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the response data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the response data object. items: type: string type: array defaultLeaseTtl: - description: Specifies the default time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the default time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string listingVisibility: - description: Specifies whether to show this mount in the - UI-specific listing endpoint. Valid values are "unauth" - or "hidden". + description: |- + Specifies whether to show this mount in + the UI-specific listing endpoint. Valid values are "unauth" or "hidden". type: string maxLeaseTtl: - description: Specifies the maximum time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the maximum time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string passthroughRequestHeaders: - description: List of headers to whitelist and pass from - the request to the backend. + description: |- + List of headers to whitelist and + pass from the request to the backend. items: type: string type: array tokenType: - description: Specifies the type of tokens that should be - returned by the mount. Valid values are "default-service", - "default-batch", "service", "batch". + description: |- + Specifies the type of tokens that should be returned by + the mount. Valid values are "default-service", "default-batch", "service", "batch". type: string type: object type: array @@ -381,20 +427,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -407,45 +454,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -455,21 +467,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -479,17 +491,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -499,21 +513,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -528,21 +542,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -553,14 +568,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -576,118 +592,132 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: organization is a required parameter + - message: spec.forProvider.organization is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.organization) - || has(self.initProvider.organization)' + || (has(self.initProvider) && has(self.initProvider.organization))' status: description: AuthBackendStatus defines the observed state of AuthBackend. properties: atProvider: properties: accessor: - description: The mount accessor related to the auth mount. It - is useful for integration with Identity Secrets Engine. The - mount accessor related to the auth mount. + description: |- + The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine. + The mount accessor related to the auth mount. type: string baseUrl: - description: The API endpoint to use. Useful if you are running - GitHub Enterprise or an API-compatible authentication server. - The API endpoint to use. Useful if you are running GitHub Enterprise - or an API-compatible authentication server. + description: |- + The API endpoint to use. Useful if you + are running GitHub Enterprise or an API-compatible authentication server. + The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server. type: string description: - description: Specifies the description of the mount. This overrides - the current stored value, if any. Specifies the description - of the mount. This overrides the current stored value, if any. + description: |- + Specifies the description of the mount. + This overrides the current stored value, if any. + Specifies the description of the mount. This overrides the current stored value, if any. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: The organization configured users must be part of. + description: |- + The organization configured users must be part of. The organization users must be part of. type: string organizationId: - description: The ID of the organization users must be part of. - Vault will attempt to fetch and set this value if it is not - provided. (Vault 1.10+) The ID of the organization users must - be part of. Vault will attempt to fetch and set this value if - it is not provided (vault-1.10+) + description: |- + The ID of the organization users must be part of. + Vault will attempt to fetch and set this value if it is not provided. (Vault 1.10+) + The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+) type: number path: - description: Path where the auth backend is mounted. Defaults - to auth/github if not specified. Path where the auth backend - is mounted + description: |- + Path where the auth backend is mounted. Defaults to auth/github + if not specified. + Path where the auth backend is mounted type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string tune: description: Extra configuration block. Structure is documented @@ -695,48 +725,54 @@ spec: items: properties: allowedResponseHeaders: - description: List of headers to whitelist and allowing a - plugin to include them in the response. + description: |- + List of headers to whitelist and allowing + a plugin to include them in the response. items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the request data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the response data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the response data object. items: type: string type: array defaultLeaseTtl: - description: Specifies the default time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the default time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string listingVisibility: - description: Specifies whether to show this mount in the - UI-specific listing endpoint. Valid values are "unauth" - or "hidden". + description: |- + Specifies whether to show this mount in + the UI-specific listing endpoint. Valid values are "unauth" or "hidden". type: string maxLeaseTtl: - description: Specifies the maximum time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the maximum time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string passthroughRequestHeaders: - description: List of headers to whitelist and pass from - the request to the backend. + description: |- + List of headers to whitelist and + pass from the request to the backend. items: type: string type: array tokenType: - description: Specifies the type of tokens that should be - returned by the mount. Valid values are "default-service", - "default-batch", "service", "batch". + description: |- + Specifies the type of tokens that should be returned by + the mount. Valid values are "default-service", "default-batch", "service", "batch". type: string type: object type: array @@ -747,14 +783,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -764,8 +809,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -774,6 +820,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/github.vault.upbound.io_teams.yaml b/package/crds/github.vault.upbound.io_teams.yaml index eeda5d22..9ae13623 100644 --- a/package/crds/github.vault.upbound.io_teams.yaml +++ b/package/crds/github.vault.upbound.io_teams.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: teams.github.vault.upbound.io spec: group: github.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Github Auth backend mounts in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,21 +74,100 @@ spec: forProvider: properties: backend: - description: Path where the github auth backend is mounted. Defaults - to github if not specified. Auth backend to which team mapping - will be configured. + description: |- + Path where the github auth backend is mounted. Defaults to github + if not specified. + Auth backend to which team mapping will be configured. type: string + backendRef: + description: Reference to a AuthBackend in github to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a AuthBackend in github to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: An array of strings specifying the policies to be - set on tokens issued using this role. Policies to be assigned - to this team. + description: |- + An array of strings specifying the policies to be set on tokens + issued using this role. + Policies to be assigned to this team. items: type: string type: array @@ -91,34 +176,113 @@ spec: type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: Path where the github auth backend is mounted. Defaults - to github if not specified. Auth backend to which team mapping - will be configured. + description: |- + Path where the github auth backend is mounted. Defaults to github + if not specified. + Auth backend to which team mapping will be configured. type: string + backendRef: + description: Reference to a AuthBackend in github to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a AuthBackend in github to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: An array of strings specifying the policies to be - set on tokens issued using this role. Policies to be assigned - to this team. + description: |- + An array of strings specifying the policies to be set on tokens + issued using this role. + Policies to be assigned to this team. items: type: string type: array @@ -129,20 +293,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -155,45 +320,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -203,21 +333,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -227,17 +357,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -247,21 +379,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -276,21 +408,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -301,14 +434,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -324,33 +458,36 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: team is a required parameter + - message: spec.forProvider.team is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.team) - || has(self.initProvider.team)' + || (has(self.initProvider) && has(self.initProvider.team))' status: description: TeamStatus defines the observed state of Team. properties: atProvider: properties: backend: - description: Path where the github auth backend is mounted. Defaults - to github if not specified. Auth backend to which team mapping - will be configured. + description: |- + Path where the github auth backend is mounted. Defaults to github + if not specified. + Auth backend to which team mapping will be configured. type: string id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: An array of strings specifying the policies to be - set on tokens issued using this role. Policies to be assigned - to this team. + description: |- + An array of strings specifying the policies to be set on tokens + issued using this role. + Policies to be assigned to this team. items: type: string type: array @@ -364,14 +501,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -381,8 +527,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -391,6 +538,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/github.vault.upbound.io_users.yaml b/package/crds/github.vault.upbound.io_users.yaml index 4a23ae95..c1b8e137 100644 --- a/package/crds/github.vault.upbound.io_users.yaml +++ b/package/crds/github.vault.upbound.io_users.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: users.github.vault.upbound.io spec: group: github.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Github Auth backend mounts in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,81 +74,244 @@ spec: forProvider: properties: backend: - description: Path where the github auth backend is mounted. Defaults - to github if not specified. Auth backend to which user mapping - will be congigured. + description: |- + Path where the github auth backend is mounted. Defaults to github + if not specified. + Auth backend to which user mapping will be congigured. type: string + backendRef: + description: Reference to a AuthBackend in github to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a AuthBackend in github to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: An array of strings specifying the policies to be - set on tokens issued using this role. Policies to be assigned - to this user. + description: |- + An array of strings specifying the policies to be set on tokens issued + using this role. + Policies to be assigned to this user. items: type: string type: array user: - description: GitHub user name. GitHub user name. + description: |- + GitHub user name. + GitHub user name. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: Path where the github auth backend is mounted. Defaults - to github if not specified. Auth backend to which user mapping - will be congigured. + description: |- + Path where the github auth backend is mounted. Defaults to github + if not specified. + Auth backend to which user mapping will be congigured. type: string + backendRef: + description: Reference to a AuthBackend in github to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a AuthBackend in github to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: An array of strings specifying the policies to be - set on tokens issued using this role. Policies to be assigned - to this user. + description: |- + An array of strings specifying the policies to be set on tokens issued + using this role. + Policies to be assigned to this user. items: type: string type: array user: - description: GitHub user name. GitHub user name. + description: |- + GitHub user name. + GitHub user name. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -155,45 +324,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -203,21 +337,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -227,17 +361,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -247,21 +383,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -276,21 +412,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -301,14 +438,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -324,38 +462,43 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: user is a required parameter + - message: spec.forProvider.user is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.user) - || has(self.initProvider.user)' + || (has(self.initProvider) && has(self.initProvider.user))' status: description: UserStatus defines the observed state of User. properties: atProvider: properties: backend: - description: Path where the github auth backend is mounted. Defaults - to github if not specified. Auth backend to which user mapping - will be congigured. + description: |- + Path where the github auth backend is mounted. Defaults to github + if not specified. + Auth backend to which user mapping will be congigured. type: string id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: An array of strings specifying the policies to be - set on tokens issued using this role. Policies to be assigned - to this user. + description: |- + An array of strings specifying the policies to be set on tokens issued + using this role. + Policies to be assigned to this user. items: type: string type: array user: - description: GitHub user name. GitHub user name. + description: |- + GitHub user name. + GitHub user name. type: string type: object conditions: @@ -364,14 +507,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -381,8 +533,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -391,6 +544,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_entities.yaml b/package/crds/identity.vault.upbound.io_entities.yaml index 24107a80..bdebcb9d 100644 --- a/package/crds/identity.vault.upbound.io_entities.yaml +++ b/package/crds/identity.vault.upbound.io_entities.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: entities.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Entity for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,107 +74,116 @@ spec: forProvider: properties: disabled: - description: True/false Is this entity currently disabled. Defaults - to false Whether the entity is disabled. Disabled entities' - associated tokens cannot be used, but are not revoked. + description: |- + True/false Is this entity currently disabled. Defaults to false + Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked. type: boolean externalPolicies: - description: false by default. If set to true, this resource will - ignore any policies return from Vault or specified in the resource. - You can use vault_identity_entity_policies to manage policies - for this entity in a decoupled manner. Manage policies externally - through `vault_identity_entity_policies`. + description: |- + false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault_identity_entity_policies to manage policies for this entity in a decoupled manner. + Manage policies externally through `vault_identity_entity_policies`. type: boolean metadata: additionalProperties: type: string - description: A Map of additional metadata to associate with the - user. Metadata to be associated with the entity. + description: |- + A Map of additional metadata to associate with the user. + Metadata to be associated with the entity. type: object + x-kubernetes-map-type: granular name: - description: Name of the identity entity to create. Name of the - entity. + description: |- + Name of the identity entity to create. + Name of the entity. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: A list of policies to apply to the entity. Policies - to be tied to the entity. + description: |- + A list of policies to apply to the entity. + Policies to be tied to the entity. items: type: string type: array + x-kubernetes-list-type: set type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: disabled: - description: True/false Is this entity currently disabled. Defaults - to false Whether the entity is disabled. Disabled entities' - associated tokens cannot be used, but are not revoked. + description: |- + True/false Is this entity currently disabled. Defaults to false + Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked. type: boolean externalPolicies: - description: false by default. If set to true, this resource will - ignore any policies return from Vault or specified in the resource. - You can use vault_identity_entity_policies to manage policies - for this entity in a decoupled manner. Manage policies externally - through `vault_identity_entity_policies`. + description: |- + false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault_identity_entity_policies to manage policies for this entity in a decoupled manner. + Manage policies externally through `vault_identity_entity_policies`. type: boolean metadata: additionalProperties: type: string - description: A Map of additional metadata to associate with the - user. Metadata to be associated with the entity. + description: |- + A Map of additional metadata to associate with the user. + Metadata to be associated with the entity. type: object + x-kubernetes-map-type: granular name: - description: Name of the identity entity to create. Name of the - entity. + description: |- + Name of the identity entity to create. + Name of the entity. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: A list of policies to apply to the entity. Policies - to be tied to the entity. + description: |- + A list of policies to apply to the entity. + Policies to be tied to the entity. items: type: string type: array + x-kubernetes-list-type: set type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -181,45 +196,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -229,21 +209,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -253,17 +233,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -273,21 +255,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -302,21 +284,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -327,14 +310,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -355,16 +339,14 @@ spec: atProvider: properties: disabled: - description: True/false Is this entity currently disabled. Defaults - to false Whether the entity is disabled. Disabled entities' - associated tokens cannot be used, but are not revoked. + description: |- + True/false Is this entity currently disabled. Defaults to false + Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked. type: boolean externalPolicies: - description: false by default. If set to true, this resource will - ignore any policies return from Vault or specified in the resource. - You can use vault_identity_entity_policies to manage policies - for this entity in a decoupled manner. Manage policies externally - through `vault_identity_entity_policies`. + description: |- + false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault_identity_entity_policies to manage policies for this entity in a decoupled manner. + Manage policies externally through `vault_identity_entity_policies`. type: boolean id: description: The id of the created entity. @@ -372,26 +354,32 @@ spec: metadata: additionalProperties: type: string - description: A Map of additional metadata to associate with the - user. Metadata to be associated with the entity. + description: |- + A Map of additional metadata to associate with the user. + Metadata to be associated with the entity. type: object + x-kubernetes-map-type: granular name: - description: Name of the identity entity to create. Name of the - entity. + description: |- + Name of the identity entity to create. + Name of the entity. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: A list of policies to apply to the entity. Policies - to be tied to the entity. + description: |- + A list of policies to apply to the entity. + Policies to be tied to the entity. items: type: string type: array + x-kubernetes-list-type: set type: object conditions: description: Conditions of the resource. @@ -399,14 +387,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -416,8 +413,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -426,6 +424,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_entityaliases.yaml b/package/crds/identity.vault.upbound.io_entityaliases.yaml index 480a4683..55d56ea3 100644 --- a/package/crds/identity.vault.upbound.io_entityaliases.yaml +++ b/package/crds/identity.vault.upbound.io_entityaliases.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: entityaliases.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Identity Entity Alias for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,95 +74,96 @@ spec: forProvider: properties: canonicalId: - description: Entity ID to which this alias belongs to. ID of the - entity to which this is an alias. + description: |- + Entity ID to which this alias belongs to. + ID of the entity to which this is an alias. type: string customMetadata: additionalProperties: type: string description: Custom metadata to be associated with this alias. type: object + x-kubernetes-map-type: granular mountAccessor: - description: Accessor of the mount to which the alias should belong - to. Mount accessor to which this alias belongs toMount accessor - to which this alias belongs to. + description: |- + Accessor of the mount to which the alias should belong to. + Mount accessor to which this alias belongs toMount accessor to which this alias belongs to. type: string name: - description: Name of the alias. Name should be the identifier - of the client in the authentication source. For example, if - the alias belongs to userpass backend, the name should be a - valid username within userpass backend. If alias belongs to - GitHub, it should be the GitHub username. Name of the entity - alias. + description: |- + Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username. + Name of the entity alias. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: canonicalId: - description: Entity ID to which this alias belongs to. ID of the - entity to which this is an alias. + description: |- + Entity ID to which this alias belongs to. + ID of the entity to which this is an alias. type: string customMetadata: additionalProperties: type: string description: Custom metadata to be associated with this alias. type: object + x-kubernetes-map-type: granular mountAccessor: - description: Accessor of the mount to which the alias should belong - to. Mount accessor to which this alias belongs toMount accessor - to which this alias belongs to. + description: |- + Accessor of the mount to which the alias should belong to. + Mount accessor to which this alias belongs toMount accessor to which this alias belongs to. type: string name: - description: Name of the alias. Name should be the identifier - of the client in the authentication source. For example, if - the alias belongs to userpass backend, the name should be a - valid username within userpass backend. If alias belongs to - GitHub, it should be the GitHub username. Name of the entity - alias. + description: |- + Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username. + Name of the entity alias. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -169,45 +176,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -217,21 +189,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -241,17 +213,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -261,21 +235,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -290,21 +264,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -315,14 +290,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -338,54 +314,54 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: canonicalId is a required parameter + - message: spec.forProvider.canonicalId is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.canonicalId) - || has(self.initProvider.canonicalId)' - - message: mountAccessor is a required parameter + || (has(self.initProvider) && has(self.initProvider.canonicalId))' + - message: spec.forProvider.mountAccessor is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.mountAccessor) - || has(self.initProvider.mountAccessor)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.mountAccessor))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: EntityAliasStatus defines the observed state of EntityAlias. properties: atProvider: properties: canonicalId: - description: Entity ID to which this alias belongs to. ID of the - entity to which this is an alias. + description: |- + Entity ID to which this alias belongs to. + ID of the entity to which this is an alias. type: string customMetadata: additionalProperties: type: string description: Custom metadata to be associated with this alias. type: object + x-kubernetes-map-type: granular id: description: ID of the entity alias. type: string mountAccessor: - description: Accessor of the mount to which the alias should belong - to. Mount accessor to which this alias belongs toMount accessor - to which this alias belongs to. + description: |- + Accessor of the mount to which the alias should belong to. + Mount accessor to which this alias belongs toMount accessor to which this alias belongs to. type: string name: - description: Name of the alias. Name should be the identifier - of the client in the authentication source. For example, if - the alias belongs to userpass backend, the name should be a - valid username within userpass backend. If alias belongs to - GitHub, it should be the GitHub username. Name of the entity - alias. + description: |- + Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username. + Name of the entity alias. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -394,14 +370,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -411,8 +396,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -421,6 +407,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_entitypolicies.yaml b/package/crds/identity.vault.upbound.io_entitypolicies.yaml index d13ba640..a3be4ce3 100644 --- a/package/crds/identity.vault.upbound.io_entitypolicies.yaml +++ b/package/crds/identity.vault.upbound.io_entitypolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: entitypolicies.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: policies for an Identity Entity for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,77 +74,238 @@ spec: forProvider: properties: entityId: - description: Entity ID to assign policies to. ID of the entity. + description: |- + Entity ID to assign policies to. + ID of the entity. type: string + entityIdRef: + description: Reference to a Entity in identity to populate entityId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + entityIdSelector: + description: Selector for a Entity in identity to populate entityId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object exclusive: - description: Defaults to true. Should the resource manage policies - exclusively + description: |- + Defaults to true. + Should the resource manage policies exclusively type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: List of policies to assign to the entity Policies - to be tied to the entity. + description: |- + List of policies to assign to the entity + Policies to be tied to the entity. items: type: string type: array + x-kubernetes-list-type: set type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: entityId: - description: Entity ID to assign policies to. ID of the entity. + description: |- + Entity ID to assign policies to. + ID of the entity. type: string + entityIdRef: + description: Reference to a Entity in identity to populate entityId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + entityIdSelector: + description: Selector for a Entity in identity to populate entityId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object exclusive: - description: Defaults to true. Should the resource manage policies - exclusively + description: |- + Defaults to true. + Should the resource manage policies exclusively type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: List of policies to assign to the entity Policies - to be tied to the entity. + description: |- + List of policies to assign to the entity + Policies to be tied to the entity. items: type: string type: array + x-kubernetes-list-type: set type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -151,9 +318,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -163,57 +331,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -223,17 +355,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -243,21 +377,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -272,21 +406,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -297,14 +432,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -320,45 +456,48 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: entityId is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.entityId) - || has(self.initProvider.entityId)' - - message: policies is a required parameter + - message: spec.forProvider.policies is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.policies) - || has(self.initProvider.policies)' + || (has(self.initProvider) && has(self.initProvider.policies))' status: description: EntityPoliciesStatus defines the observed state of EntityPolicies. properties: atProvider: properties: entityId: - description: Entity ID to assign policies to. ID of the entity. + description: |- + Entity ID to assign policies to. + ID of the entity. type: string entityName: - description: The name of the entity that are assigned the policies. + description: |- + The name of the entity that are assigned the policies. Name of the entity. type: string exclusive: - description: Defaults to true. Should the resource manage policies - exclusively + description: |- + Defaults to true. + Should the resource manage policies exclusively type: boolean id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: List of policies to assign to the entity Policies - to be tied to the entity. + description: |- + List of policies to assign to the entity + Policies to be tied to the entity. items: type: string type: array + x-kubernetes-list-type: set type: object conditions: description: Conditions of the resource. @@ -366,14 +505,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -383,8 +531,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -393,6 +542,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_groupaliases.yaml b/package/crds/identity.vault.upbound.io_groupaliases.yaml index 30b9c83e..915d6d56 100644 --- a/package/crds/identity.vault.upbound.io_groupaliases.yaml +++ b/package/crds/identity.vault.upbound.io_groupaliases.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: groupaliases.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Identity Group Alias for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,77 +74,380 @@ spec: forProvider: properties: canonicalId: - description: ID of the group to which this is an alias. ID of - the group to which this is an alias. + description: |- + ID of the group to which this is an alias. + ID of the group to which this is an alias. type: string + canonicalIdRef: + description: Reference to a Group in identity to populate canonicalId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + canonicalIdSelector: + description: Selector for a Group in identity to populate canonicalId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object mountAccessor: - description: Mount accessor of the authentication backend to which - this alias belongs to. Mount accessor to which this alias belongs - to. + description: |- + Mount accessor of the authentication backend to which this alias belongs to. + Mount accessor to which this alias belongs to. type: string + mountAccessorRef: + description: Reference to a Backend in auth to populate mountAccessor. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountAccessorSelector: + description: Selector for a Backend in auth to populate mountAccessor. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: Name of the group alias to create. Name of the group - alias. + description: |- + Name of the group alias to create. + Name of the group alias. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: canonicalId: - description: ID of the group to which this is an alias. ID of - the group to which this is an alias. + description: |- + ID of the group to which this is an alias. + ID of the group to which this is an alias. type: string + canonicalIdRef: + description: Reference to a Group in identity to populate canonicalId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + canonicalIdSelector: + description: Selector for a Group in identity to populate canonicalId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object mountAccessor: - description: Mount accessor of the authentication backend to which - this alias belongs to. Mount accessor to which this alias belongs - to. + description: |- + Mount accessor of the authentication backend to which this alias belongs to. + Mount accessor to which this alias belongs to. type: string + mountAccessorRef: + description: Reference to a Backend in auth to populate mountAccessor. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountAccessorSelector: + description: Selector for a Backend in auth to populate mountAccessor. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: Name of the group alias to create. Name of the group - alias. + description: |- + Name of the group alias to create. + Name of the group alias. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -151,9 +460,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -163,57 +473,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -223,17 +497,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -243,21 +519,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -272,21 +548,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -297,14 +574,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -320,45 +598,40 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: canonicalId is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.canonicalId) - || has(self.initProvider.canonicalId)' - - message: mountAccessor is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.mountAccessor) - || has(self.initProvider.mountAccessor)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: GroupAliasStatus defines the observed state of GroupAlias. properties: atProvider: properties: canonicalId: - description: ID of the group to which this is an alias. ID of - the group to which this is an alias. + description: |- + ID of the group to which this is an alias. + ID of the group to which this is an alias. type: string id: description: The id of the created group alias. type: string mountAccessor: - description: Mount accessor of the authentication backend to which - this alias belongs to. Mount accessor to which this alias belongs - to. + description: |- + Mount accessor of the authentication backend to which this alias belongs to. + Mount accessor to which this alias belongs to. type: string name: - description: Name of the group alias to create. Name of the group - alias. + description: |- + Name of the group alias to create. + Name of the group alias. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -367,14 +640,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -384,8 +666,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -394,6 +677,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml b/package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml index 7803181e..12605f18 100644 --- a/package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml +++ b/package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: groupmemberentityidsidses.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Manages member entities for an Identity Group for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,81 +74,240 @@ spec: forProvider: properties: exclusive: - description: Defaults to true. If set to true, allows the resource - to manage member entity ids exclusively. Beware of race conditions - when disabling exclusive management + description: |- + Defaults to true. + If set to true, allows the resource to manage member entity ids + exclusively. Beware of race conditions when disabling exclusive management type: boolean groupId: - description: Group ID to assign member entities to. ID of the - group. + description: |- + Group ID to assign member entities to. + ID of the group. type: string + groupIdRef: + description: Reference to a Group in identity to populate groupId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + groupIdSelector: + description: Selector for a Group in identity to populate groupId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object memberEntityIds: - description: List of member entities that belong to the group + description: |- + List of member entities that belong to the group Entity IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: exclusive: - description: Defaults to true. If set to true, allows the resource - to manage member entity ids exclusively. Beware of race conditions - when disabling exclusive management + description: |- + Defaults to true. + If set to true, allows the resource to manage member entity ids + exclusively. Beware of race conditions when disabling exclusive management type: boolean groupId: - description: Group ID to assign member entities to. ID of the - group. + description: |- + Group ID to assign member entities to. + ID of the group. type: string + groupIdRef: + description: Reference to a Group in identity to populate groupId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + groupIdSelector: + description: Selector for a Group in identity to populate groupId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object memberEntityIds: - description: List of member entities that belong to the group + description: |- + List of member entities that belong to the group Entity IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -155,9 +320,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -167,57 +333,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -227,17 +357,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -247,21 +379,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -276,21 +408,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -301,14 +434,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -323,11 +457,6 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: groupId is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.groupId) - || has(self.initProvider.groupId)' status: description: GroupMemberEntityIdsStatus defines the observed state of GroupMemberEntityIds. @@ -335,34 +464,33 @@ spec: atProvider: properties: exclusive: - description: Defaults to true. If set to true, allows the resource - to manage member entity ids exclusively. Beware of race conditions - when disabling exclusive management + description: |- + Defaults to true. + If set to true, allows the resource to manage member entity ids + exclusively. Beware of race conditions when disabling exclusive management type: boolean groupId: - description: Group ID to assign member entities to. ID of the - group. - type: string - groupName: - description: 'The name of the group that are assigned the member - entities. Deprecated: The value for group_name may not always - be accurate use data.vault_identity_group.*.group_name, or vault_identity_group.*.group_name - instead. Name of the group.' + description: |- + Group ID to assign member entities to. + ID of the group. type: string id: type: string memberEntityIds: - description: List of member entities that belong to the group + description: |- + List of member entities that belong to the group Entity IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -371,14 +499,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -388,8 +525,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -398,6 +536,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_groupmembergroupidsidses.yaml b/package/crds/identity.vault.upbound.io_groupmembergroupidsidses.yaml index 2569d0c9..c236728b 100644 --- a/package/crds/identity.vault.upbound.io_groupmembergroupidsidses.yaml +++ b/package/crds/identity.vault.upbound.io_groupmembergroupidsidses.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: groupmembergroupidsidses.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Manages member groups for an Identity Group for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,81 +74,240 @@ spec: forProvider: properties: exclusive: - description: Defaults to true. If set to true, allows the resource - to manage member group ids exclusively. Beware of race conditions - when disabling exclusive management + description: |- + Defaults to true. + If set to true, allows the resource to manage member group ids + exclusively. Beware of race conditions when disabling exclusive management type: boolean groupId: - description: Group ID to assign member entities to. ID of the - group. + description: |- + Group ID to assign member entities to. + ID of the group. type: string + groupIdRef: + description: Reference to a Group in identity to populate groupId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + groupIdSelector: + description: Selector for a Group in identity to populate groupId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object memberGroupIds: - description: List of member groups that belong to the group Group - IDs to be assigned as group members. + description: |- + List of member groups that belong to the group + Group IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: exclusive: - description: Defaults to true. If set to true, allows the resource - to manage member group ids exclusively. Beware of race conditions - when disabling exclusive management + description: |- + Defaults to true. + If set to true, allows the resource to manage member group ids + exclusively. Beware of race conditions when disabling exclusive management type: boolean groupId: - description: Group ID to assign member entities to. ID of the - group. + description: |- + Group ID to assign member entities to. + ID of the group. type: string + groupIdRef: + description: Reference to a Group in identity to populate groupId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + groupIdSelector: + description: Selector for a Group in identity to populate groupId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object memberGroupIds: - description: List of member groups that belong to the group Group - IDs to be assigned as group members. + description: |- + List of member groups that belong to the group + Group IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -155,45 +320,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -203,21 +333,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -227,17 +357,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -247,21 +379,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -276,21 +408,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -301,14 +434,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -323,39 +457,39 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: groupId is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.groupId) - || has(self.initProvider.groupId)' status: description: GroupMemberGroupIdsStatus defines the observed state of GroupMemberGroupIds. properties: atProvider: properties: exclusive: - description: Defaults to true. If set to true, allows the resource - to manage member group ids exclusively. Beware of race conditions - when disabling exclusive management + description: |- + Defaults to true. + If set to true, allows the resource to manage member group ids + exclusively. Beware of race conditions when disabling exclusive management type: boolean groupId: - description: Group ID to assign member entities to. ID of the - group. + description: |- + Group ID to assign member entities to. + ID of the group. type: string id: type: string memberGroupIds: - description: List of member groups that belong to the group Group - IDs to be assigned as group members. + description: |- + List of member groups that belong to the group + Group IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -364,14 +498,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -381,8 +524,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -391,6 +535,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_grouppolicies.yaml b/package/crds/identity.vault.upbound.io_grouppolicies.yaml index 2acd148d..a02fbcb5 100644 --- a/package/crds/identity.vault.upbound.io_grouppolicies.yaml +++ b/package/crds/identity.vault.upbound.io_grouppolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: grouppolicies.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: policies for an Identity Group for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,79 +74,238 @@ spec: forProvider: properties: exclusive: - description: Defaults to true. Should the resource manage policies - exclusively? Beware of race conditions when disabling exclusive - management + description: |- + Defaults to true. + Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management type: boolean groupId: - description: Group ID to assign policies to. ID of the group. + description: |- + Group ID to assign policies to. + ID of the group. type: string + groupIdRef: + description: Reference to a Group in identity to populate groupId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + groupIdSelector: + description: Selector for a Group in identity to populate groupId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: List of policies to assign to the group Policies - to be tied to the group. + description: |- + List of policies to assign to the group + Policies to be tied to the group. items: type: string type: array + x-kubernetes-list-type: set type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: exclusive: - description: Defaults to true. Should the resource manage policies - exclusively? Beware of race conditions when disabling exclusive - management + description: |- + Defaults to true. + Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management type: boolean groupId: - description: Group ID to assign policies to. ID of the group. + description: |- + Group ID to assign policies to. + ID of the group. type: string + groupIdRef: + description: Reference to a Group in identity to populate groupId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + groupIdSelector: + description: Selector for a Group in identity to populate groupId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: List of policies to assign to the group Policies - to be tied to the group. + description: |- + List of policies to assign to the group + Policies to be tied to the group. items: type: string type: array + x-kubernetes-list-type: set type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -153,9 +318,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -165,57 +331,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -225,17 +355,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -245,21 +377,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -274,21 +406,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -299,14 +432,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -322,46 +456,48 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: groupId is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.groupId) - || has(self.initProvider.groupId)' - - message: policies is a required parameter + - message: spec.forProvider.policies is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.policies) - || has(self.initProvider.policies)' + || (has(self.initProvider) && has(self.initProvider.policies))' status: description: GroupPoliciesStatus defines the observed state of GroupPolicies. properties: atProvider: properties: exclusive: - description: Defaults to true. Should the resource manage policies - exclusively? Beware of race conditions when disabling exclusive - management + description: |- + Defaults to true. + Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management type: boolean groupId: - description: Group ID to assign policies to. ID of the group. + description: |- + Group ID to assign policies to. + ID of the group. type: string groupName: - description: The name of the group that are assigned the policies. + description: |- + The name of the group that are assigned the policies. Name of the group. type: string id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: List of policies to assign to the group Policies - to be tied to the group. + description: |- + List of policies to assign to the group + Policies to be tied to the group. items: type: string type: array + x-kubernetes-list-type: set type: object conditions: description: Conditions of the resource. @@ -369,14 +505,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -386,8 +531,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -396,6 +542,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_groups.yaml b/package/crds/identity.vault.upbound.io_groups.yaml index f5a1aec7..0b261f4f 100644 --- a/package/crds/identity.vault.upbound.io_groups.yaml +++ b/package/crds/identity.vault.upbound.io_groups.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: groups.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,165 +74,184 @@ spec: forProvider: properties: externalMemberEntityIds: - description: false by default. If set to true, this resource will - ignore any Entity IDs returned from Vault or specified in the - resource. You can use vault_identity_group_member_entity_ids - to manage Entity IDs for this group in a decoupled manner. Manage - member entities externally through `vault_identity_group_member_entity_ids` + description: |- + false by default. If set to true, this resource will ignore any Entity IDs + returned from Vault or specified in the resource. You can use + vault_identity_group_member_entity_ids to manage Entity IDs for this group in a + decoupled manner. + Manage member entities externally through `vault_identity_group_member_entity_ids` type: boolean externalMemberGroupIds: - description: false by default. If set to true, this resource will - ignore any Group IDs returned from Vault or specified in the - resource. You can use vault_identity_group_member_group_ids - to manage Group IDs for this group in a decoupled manner. Manage - member groups externally through `vault_identity_group_member_group_ids` + description: |- + false by default. If set to true, this resource will ignore any Group IDs + returned from Vault or specified in the resource. You can use + vault_identity_group_member_group_ids to manage Group IDs for this group in a + decoupled manner. + Manage member groups externally through `vault_identity_group_member_group_ids` type: boolean externalPolicies: - description: false by default. If set to true, this resource will - ignore any policies returned from Vault or specified in the - resource. You can use vault_identity_group_policies to manage - policies for this group in a decoupled manner. Manage policies - externally through `vault_identity_group_policies`, allows using - group ID in assigned policies. + description: |- + false by default. If set to true, this resource will ignore any policies returned from + Vault or specified in the resource. You can use vault_identity_group_policies to manage + policies for this group in a decoupled manner. + Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies. type: boolean memberEntityIds: - description: A list of Entity IDs to be assigned as group members. - Not allowed on external groups. Entity IDs to be assigned as - group members. + description: |- + A list of Entity IDs to be assigned as group members. Not allowed on external groups. + Entity IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set memberGroupIds: - description: A list of Group IDs to be assigned as group members. - Not allowed on external groups. Group IDs to be assigned as - group members. + description: |- + A list of Group IDs to be assigned as group members. Not allowed on external groups. + Group IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set metadata: additionalProperties: type: string - description: A Map of additional metadata to associate with the - group. Metadata to be associated with the group. + description: |- + A Map of additional metadata to associate with the group. + Metadata to be associated with the group. type: object + x-kubernetes-map-type: granular name: - description: Name of the identity group to create. Name of the - group. + description: |- + Name of the identity group to create. + Name of the group. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: A list of policies to apply to the group. Policies - to be tied to the group. + description: |- + A list of policies to apply to the group. + Policies to be tied to the group. items: type: string type: array + x-kubernetes-list-type: set type: - description: Type of the group, internal or external. Defaults - to internal. Type of the group, internal or external. Defaults - to internal. + description: |- + Type of the group, internal or external. Defaults to internal. + Type of the group, internal or external. Defaults to internal. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: externalMemberEntityIds: - description: false by default. If set to true, this resource will - ignore any Entity IDs returned from Vault or specified in the - resource. You can use vault_identity_group_member_entity_ids - to manage Entity IDs for this group in a decoupled manner. Manage - member entities externally through `vault_identity_group_member_entity_ids` + description: |- + false by default. If set to true, this resource will ignore any Entity IDs + returned from Vault or specified in the resource. You can use + vault_identity_group_member_entity_ids to manage Entity IDs for this group in a + decoupled manner. + Manage member entities externally through `vault_identity_group_member_entity_ids` type: boolean externalMemberGroupIds: - description: false by default. If set to true, this resource will - ignore any Group IDs returned from Vault or specified in the - resource. You can use vault_identity_group_member_group_ids - to manage Group IDs for this group in a decoupled manner. Manage - member groups externally through `vault_identity_group_member_group_ids` + description: |- + false by default. If set to true, this resource will ignore any Group IDs + returned from Vault or specified in the resource. You can use + vault_identity_group_member_group_ids to manage Group IDs for this group in a + decoupled manner. + Manage member groups externally through `vault_identity_group_member_group_ids` type: boolean externalPolicies: - description: false by default. If set to true, this resource will - ignore any policies returned from Vault or specified in the - resource. You can use vault_identity_group_policies to manage - policies for this group in a decoupled manner. Manage policies - externally through `vault_identity_group_policies`, allows using - group ID in assigned policies. + description: |- + false by default. If set to true, this resource will ignore any policies returned from + Vault or specified in the resource. You can use vault_identity_group_policies to manage + policies for this group in a decoupled manner. + Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies. type: boolean memberEntityIds: - description: A list of Entity IDs to be assigned as group members. - Not allowed on external groups. Entity IDs to be assigned as - group members. + description: |- + A list of Entity IDs to be assigned as group members. Not allowed on external groups. + Entity IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set memberGroupIds: - description: A list of Group IDs to be assigned as group members. - Not allowed on external groups. Group IDs to be assigned as - group members. + description: |- + A list of Group IDs to be assigned as group members. Not allowed on external groups. + Group IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set metadata: additionalProperties: type: string - description: A Map of additional metadata to associate with the - group. Metadata to be associated with the group. + description: |- + A Map of additional metadata to associate with the group. + Metadata to be associated with the group. type: object + x-kubernetes-map-type: granular name: - description: Name of the identity group to create. Name of the - group. + description: |- + Name of the identity group to create. + Name of the group. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: A list of policies to apply to the group. Policies - to be tied to the group. + description: |- + A list of policies to apply to the group. + Policies to be tied to the group. items: type: string type: array + x-kubernetes-list-type: set type: - description: Type of the group, internal or external. Defaults - to internal. Type of the group, internal or external. Defaults - to internal. + description: |- + Type of the group, internal or external. Defaults to internal. + Type of the group, internal or external. Defaults to internal. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -239,45 +264,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -287,21 +277,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -311,17 +301,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -331,21 +323,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -360,21 +352,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -385,14 +378,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -413,71 +407,80 @@ spec: atProvider: properties: externalMemberEntityIds: - description: false by default. If set to true, this resource will - ignore any Entity IDs returned from Vault or specified in the - resource. You can use vault_identity_group_member_entity_ids - to manage Entity IDs for this group in a decoupled manner. Manage - member entities externally through `vault_identity_group_member_entity_ids` + description: |- + false by default. If set to true, this resource will ignore any Entity IDs + returned from Vault or specified in the resource. You can use + vault_identity_group_member_entity_ids to manage Entity IDs for this group in a + decoupled manner. + Manage member entities externally through `vault_identity_group_member_entity_ids` type: boolean externalMemberGroupIds: - description: false by default. If set to true, this resource will - ignore any Group IDs returned from Vault or specified in the - resource. You can use vault_identity_group_member_group_ids - to manage Group IDs for this group in a decoupled manner. Manage - member groups externally through `vault_identity_group_member_group_ids` + description: |- + false by default. If set to true, this resource will ignore any Group IDs + returned from Vault or specified in the resource. You can use + vault_identity_group_member_group_ids to manage Group IDs for this group in a + decoupled manner. + Manage member groups externally through `vault_identity_group_member_group_ids` type: boolean externalPolicies: - description: false by default. If set to true, this resource will - ignore any policies returned from Vault or specified in the - resource. You can use vault_identity_group_policies to manage - policies for this group in a decoupled manner. Manage policies - externally through `vault_identity_group_policies`, allows using - group ID in assigned policies. + description: |- + false by default. If set to true, this resource will ignore any policies returned from + Vault or specified in the resource. You can use vault_identity_group_policies to manage + policies for this group in a decoupled manner. + Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies. type: boolean id: description: The id of the created group. type: string memberEntityIds: - description: A list of Entity IDs to be assigned as group members. - Not allowed on external groups. Entity IDs to be assigned as - group members. + description: |- + A list of Entity IDs to be assigned as group members. Not allowed on external groups. + Entity IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set memberGroupIds: - description: A list of Group IDs to be assigned as group members. - Not allowed on external groups. Group IDs to be assigned as - group members. + description: |- + A list of Group IDs to be assigned as group members. Not allowed on external groups. + Group IDs to be assigned as group members. items: type: string type: array + x-kubernetes-list-type: set metadata: additionalProperties: type: string - description: A Map of additional metadata to associate with the - group. Metadata to be associated with the group. + description: |- + A Map of additional metadata to associate with the group. + Metadata to be associated with the group. type: object + x-kubernetes-map-type: granular name: - description: Name of the identity group to create. Name of the - group. + description: |- + Name of the identity group to create. + Name of the group. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: A list of policies to apply to the group. Policies - to be tied to the group. + description: |- + A list of policies to apply to the group. + Policies to be tied to the group. items: type: string type: array + x-kubernetes-list-type: set type: - description: Type of the group, internal or external. Defaults - to internal. Type of the group, internal or external. Defaults - to internal. + description: |- + Type of the group, internal or external. Defaults to internal. + Type of the group, internal or external. Defaults to internal. type: string type: object conditions: @@ -486,14 +489,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -503,8 +515,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -513,6 +526,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_mfaduoes.yaml b/package/crds/identity.vault.upbound.io_mfaduoes.yaml index c5cad0ea..7eb8ccd0 100644 --- a/package/crds/identity.vault.upbound.io_mfaduoes.yaml +++ b/package/crds/identity.vault.upbound.io_mfaduoes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: mfaduoes.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: the duo MFA method. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,10 +74,14 @@ spec: forProvider: properties: apiHostname: - description: API hostname for Duo API hostname for Duo + description: |- + API hostname for Duo + API hostname for Duo type: string integrationKeySecretRef: - description: Integration key for Duo Integration key for Duo + description: |- + Integration key for Duo + Integration key for Duo properties: key: description: The key to select. @@ -88,14 +98,19 @@ spec: - namespace type: object namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string pushInfo: - description: Push information for Duo. Push information for Duo. + description: |- + Push information for Duo. + Push information for Duo. type: string secretKeySecretRef: - description: Secret key for Duo Secret key for Duo + description: |- + Secret key for Duo + Secret key for Duo properties: key: description: The key to select. @@ -112,65 +127,114 @@ spec: - namespace type: object usePasscode: - description: Require passcode upon MFA validation. Require passcode - upon MFA validation. + description: |- + Require passcode upon MFA validation. + Require passcode upon MFA validation. type: boolean usernameFormat: - description: A template string for mapping Identity names to MFA - methods. A template string for mapping Identity names to MFA - methods. + description: |- + A template string for mapping Identity names to MFA methods. + A template string for mapping Identity names to MFA methods. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: apiHostname: - description: API hostname for Duo API hostname for Duo + description: |- + API hostname for Duo + API hostname for Duo type: string + integrationKeySecretRef: + description: |- + Integration key for Duo + Integration key for Duo + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string pushInfo: - description: Push information for Duo. Push information for Duo. + description: |- + Push information for Duo. + Push information for Duo. type: string + secretKeySecretRef: + description: |- + Secret key for Duo + Secret key for Duo + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object usePasscode: - description: Require passcode upon MFA validation. Require passcode - upon MFA validation. + description: |- + Require passcode upon MFA validation. + Require passcode upon MFA validation. type: boolean usernameFormat: - description: A template string for mapping Identity names to MFA - methods. A template string for mapping Identity names to MFA - methods. + description: |- + A template string for mapping Identity names to MFA methods. + A template string for mapping Identity names to MFA methods. type: string + required: + - integrationKeySecretRef + - secretKeySecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -183,45 +247,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -231,21 +260,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -255,17 +284,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -275,21 +306,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -304,21 +335,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -329,14 +361,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -352,14 +385,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: apiHostname is a required parameter + - message: spec.forProvider.apiHostname is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.apiHostname) - || has(self.initProvider.apiHostname)' - - message: integrationKeySecretRef is a required parameter + || (has(self.initProvider) && has(self.initProvider.apiHostname))' + - message: spec.forProvider.integrationKeySecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.integrationKeySecretRef)' - - message: secretKeySecretRef is a required parameter + - message: spec.forProvider.secretKeySecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.secretKeySecretRef)' status: @@ -368,46 +401,64 @@ spec: atProvider: properties: apiHostname: - description: API hostname for Duo API hostname for Duo + description: |- + API hostname for Duo + API hostname for Duo type: string id: type: string methodId: - description: Method ID. Method ID. + description: |- + Method ID. + Method ID. type: string mountAccessor: - description: Mount accessor. Mount accessor. + description: |- + Mount accessor. + Mount accessor. type: string name: description: Method name. type: string namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string namespaceId: - description: Method's namespace ID. Method's namespace ID. + description: |- + Method's namespace ID. + Method's namespace ID. type: string namespacePath: - description: Method's namespace path. Method's namespace path. + description: |- + Method's namespace path. + Method's namespace path. type: string pushInfo: - description: Push information for Duo. Push information for Duo. + description: |- + Push information for Duo. + Push information for Duo. type: string type: - description: MFA type. MFA type. + description: |- + MFA type. + MFA type. type: string usePasscode: - description: Require passcode upon MFA validation. Require passcode - upon MFA validation. + description: |- + Require passcode upon MFA validation. + Require passcode upon MFA validation. type: boolean usernameFormat: - description: A template string for mapping Identity names to MFA - methods. A template string for mapping Identity names to MFA - methods. + description: |- + A template string for mapping Identity names to MFA methods. + A template string for mapping Identity names to MFA methods. type: string uuid: - description: Resource UUID. Resource UUID. + description: |- + Resource UUID. + Resource UUID. type: string type: object conditions: @@ -416,14 +467,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -433,8 +493,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -443,6 +504,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_mfaloginenforcements.yaml b/package/crds/identity.vault.upbound.io_mfaloginenforcements.yaml index a1e956d5..bd433ff0 100644 --- a/package/crds/identity.vault.upbound.io_mfaloginenforcements.yaml +++ b/package/crds/identity.vault.upbound.io_mfaloginenforcements.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: mfaloginenforcements.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Resource for configuring MFA login-enforcement properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,107 +74,138 @@ spec: forProvider: properties: authMethodAccessors: - description: Set of auth method accessor IDs. Set of auth method - accessor IDs. + description: |- + Set of auth method accessor IDs. + Set of auth method accessor IDs. items: type: string type: array + x-kubernetes-list-type: set authMethodTypes: - description: Set of auth method types. Set of auth method types. + description: |- + Set of auth method types. + Set of auth method types. items: type: string type: array + x-kubernetes-list-type: set identityEntityIds: - description: Set of identity entity IDs. Set of identity entity - IDs. + description: |- + Set of identity entity IDs. + Set of identity entity IDs. items: type: string type: array + x-kubernetes-list-type: set identityGroupIds: - description: Set of identity group IDs. Set of identity group - IDs. + description: |- + Set of identity group IDs. + Set of identity group IDs. items: type: string type: array + x-kubernetes-list-type: set mfaMethodIds: - description: Set of MFA method UUIDs. Set of MFA method UUIDs. + description: |- + Set of MFA method UUIDs. + Set of MFA method UUIDs. items: type: string type: array + x-kubernetes-list-type: set name: - description: Login enforcement name. Login enforcement name. + description: |- + Login enforcement name. + Login enforcement name. type: string namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: authMethodAccessors: - description: Set of auth method accessor IDs. Set of auth method - accessor IDs. + description: |- + Set of auth method accessor IDs. + Set of auth method accessor IDs. items: type: string type: array + x-kubernetes-list-type: set authMethodTypes: - description: Set of auth method types. Set of auth method types. + description: |- + Set of auth method types. + Set of auth method types. items: type: string type: array + x-kubernetes-list-type: set identityEntityIds: - description: Set of identity entity IDs. Set of identity entity - IDs. + description: |- + Set of identity entity IDs. + Set of identity entity IDs. items: type: string type: array + x-kubernetes-list-type: set identityGroupIds: - description: Set of identity group IDs. Set of identity group - IDs. + description: |- + Set of identity group IDs. + Set of identity group IDs. items: type: string type: array + x-kubernetes-list-type: set mfaMethodIds: - description: Set of MFA method UUIDs. Set of MFA method UUIDs. + description: |- + Set of MFA method UUIDs. + Set of MFA method UUIDs. items: type: string type: array + x-kubernetes-list-type: set name: - description: Login enforcement name. Login enforcement name. + description: |- + Login enforcement name. + Login enforcement name. type: string namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -181,45 +218,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -229,21 +231,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -253,17 +255,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -273,21 +277,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -302,21 +306,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -327,14 +332,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -350,64 +356,85 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: mfaMethodIds is a required parameter + - message: spec.forProvider.mfaMethodIds is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.mfaMethodIds) - || has(self.initProvider.mfaMethodIds)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.mfaMethodIds))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: MfaLoginEnforcementStatus defines the observed state of MfaLoginEnforcement. properties: atProvider: properties: authMethodAccessors: - description: Set of auth method accessor IDs. Set of auth method - accessor IDs. + description: |- + Set of auth method accessor IDs. + Set of auth method accessor IDs. items: type: string type: array + x-kubernetes-list-type: set authMethodTypes: - description: Set of auth method types. Set of auth method types. + description: |- + Set of auth method types. + Set of auth method types. items: type: string type: array + x-kubernetes-list-type: set id: type: string identityEntityIds: - description: Set of identity entity IDs. Set of identity entity - IDs. + description: |- + Set of identity entity IDs. + Set of identity entity IDs. items: type: string type: array + x-kubernetes-list-type: set identityGroupIds: - description: Set of identity group IDs. Set of identity group - IDs. + description: |- + Set of identity group IDs. + Set of identity group IDs. items: type: string type: array + x-kubernetes-list-type: set mfaMethodIds: - description: Set of MFA method UUIDs. Set of MFA method UUIDs. + description: |- + Set of MFA method UUIDs. + Set of MFA method UUIDs. items: type: string type: array + x-kubernetes-list-type: set name: - description: Login enforcement name. Login enforcement name. + description: |- + Login enforcement name. + Login enforcement name. type: string namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string namespaceId: - description: Method's namespace ID. Method's namespace ID. + description: |- + Method's namespace ID. + Method's namespace ID. type: string namespacePath: - description: Method's namespace path. Method's namespace path. + description: |- + Method's namespace path. + Method's namespace path. type: string uuid: - description: Resource UUID. Resource UUID. + description: |- + Resource UUID. + Resource UUID. type: string type: object conditions: @@ -416,14 +443,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -433,8 +469,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -443,6 +480,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_mfaoktas.yaml b/package/crds/identity.vault.upbound.io_mfaoktas.yaml index 05483f6a..d2d6e335 100644 --- a/package/crds/identity.vault.upbound.io_mfaoktas.yaml +++ b/package/crds/identity.vault.upbound.io_mfaoktas.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: mfaoktas.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: the okta MFA method. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,7 +74,9 @@ spec: forProvider: properties: apiTokenSecretRef: - description: Okta API token. Okta API token. + description: |- + Okta API token. + Okta API token. properties: key: description: The key to select. @@ -85,79 +93,109 @@ spec: - namespace type: object baseUrl: - description: The base domain to use for API requests. The base - domain to use for API requests. + description: |- + The base domain to use for API requests. + The base domain to use for API requests. type: string namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string orgName: - description: Name of the organization to be used in the Okta API. + description: |- + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. type: string primaryEmail: - description: Only match the primary email for the account. Only - match the primary email for the account. + description: |- + Only match the primary email for the account. + Only match the primary email for the account. type: boolean usernameFormat: - description: A template string for mapping Identity names to MFA - methods. A template string for mapping Identity names to MFA - methods. + description: |- + A template string for mapping Identity names to MFA methods. + A template string for mapping Identity names to MFA methods. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + apiTokenSecretRef: + description: |- + Okta API token. + Okta API token. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object baseUrl: - description: The base domain to use for API requests. The base - domain to use for API requests. + description: |- + The base domain to use for API requests. + The base domain to use for API requests. type: string namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string orgName: - description: Name of the organization to be used in the Okta API. + description: |- + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. type: string primaryEmail: - description: Only match the primary email for the account. Only - match the primary email for the account. + description: |- + Only match the primary email for the account. + Only match the primary email for the account. type: boolean usernameFormat: - description: A template string for mapping Identity names to MFA - methods. A template string for mapping Identity names to MFA - methods. + description: |- + A template string for mapping Identity names to MFA methods. + A template string for mapping Identity names to MFA methods. type: string + required: + - apiTokenSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -170,45 +208,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -218,21 +221,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -242,17 +245,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -262,21 +267,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -291,21 +296,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -316,14 +322,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -339,61 +346,77 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: apiTokenSecretRef is a required parameter + - message: spec.forProvider.apiTokenSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.apiTokenSecretRef)' - - message: orgName is a required parameter + - message: spec.forProvider.orgName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.orgName) - || has(self.initProvider.orgName)' + || (has(self.initProvider) && has(self.initProvider.orgName))' status: description: MfaOktaStatus defines the observed state of MfaOkta. properties: atProvider: properties: baseUrl: - description: The base domain to use for API requests. The base - domain to use for API requests. + description: |- + The base domain to use for API requests. + The base domain to use for API requests. type: string id: type: string methodId: - description: Method ID. Method ID. + description: |- + Method ID. + Method ID. type: string mountAccessor: - description: Mount accessor. Mount accessor. + description: |- + Mount accessor. + Mount accessor. type: string name: description: Method name. type: string namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string namespaceId: - description: Method's namespace ID. Method's namespace ID. + description: |- + Method's namespace ID. + Method's namespace ID. type: string namespacePath: - description: Method's namespace path. Method's namespace path. + description: |- + Method's namespace path. + Method's namespace path. type: string orgName: - description: Name of the organization to be used in the Okta API. + description: |- + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. type: string primaryEmail: - description: Only match the primary email for the account. Only - match the primary email for the account. + description: |- + Only match the primary email for the account. + Only match the primary email for the account. type: boolean type: - description: MFA type. MFA type. + description: |- + MFA type. + MFA type. type: string usernameFormat: - description: A template string for mapping Identity names to MFA - methods. A template string for mapping Identity names to MFA - methods. + description: |- + A template string for mapping Identity names to MFA methods. + A template string for mapping Identity names to MFA methods. type: string uuid: - description: Resource UUID. Resource UUID. + description: |- + Resource UUID. + Resource UUID. type: string type: object conditions: @@ -402,14 +425,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -419,8 +451,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -429,6 +462,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_mfapingids.yaml b/package/crds/identity.vault.upbound.io_mfapingids.yaml index 4c4b70b0..af84abfa 100644 --- a/package/crds/identity.vault.upbound.io_mfapingids.yaml +++ b/package/crds/identity.vault.upbound.io_mfapingids.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: mfapingids.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: configuring the pingid MFA method. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,67 +74,68 @@ spec: forProvider: properties: namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string settingsFileBase64: - description: A base64-encoded third-party settings contents as - retrieved from PingID's configuration page. A base64-encoded - third-party settings contents as retrieved from PingID's configuration - page. + description: |- + A base64-encoded third-party settings contents as retrieved from PingID's configuration page. + A base64-encoded third-party settings contents as retrieved from PingID's configuration page. type: string usernameFormat: - description: A template string for mapping Identity names to MFA - methods. A template string for mapping Identity names to MFA - methods. + description: |- + A template string for mapping Identity names to MFA methods. + A template string for mapping Identity names to MFA methods. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string settingsFileBase64: - description: A base64-encoded third-party settings contents as - retrieved from PingID's configuration page. A base64-encoded - third-party settings contents as retrieved from PingID's configuration - page. + description: |- + A base64-encoded third-party settings contents as retrieved from PingID's configuration page. + A base64-encoded third-party settings contents as retrieved from PingID's configuration page. type: string usernameFormat: - description: A template string for mapping Identity names to MFA - methods. A template string for mapping Identity names to MFA - methods. + description: |- + A template string for mapping Identity names to MFA methods. + A template string for mapping Identity names to MFA methods. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -141,9 +148,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -153,57 +161,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -213,17 +185,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -233,21 +207,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -262,21 +236,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -287,14 +262,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -310,74 +286,89 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: settingsFileBase64 is a required parameter + - message: spec.forProvider.settingsFileBase64 is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.settingsFileBase64) - || has(self.initProvider.settingsFileBase64)' + || (has(self.initProvider) && has(self.initProvider.settingsFileBase64))' status: description: MfaPingidStatus defines the observed state of MfaPingid. properties: atProvider: properties: adminUrl: - description: The admin URL, derived from "settings_file_base64" + description: |- + The admin URL, derived from "settings_file_base64" The admin URL, derived from "settings_file_base64" type: string authenticatorUrl: - description: A unique identifier of the organization, derived - from "settings_file_base64" A unique identifier of the organization, - derived from "settings_file_base64" + description: |- + A unique identifier of the organization, derived from "settings_file_base64" + A unique identifier of the organization, derived from "settings_file_base64" type: string id: type: string idpUrl: - description: The IDP URL, derived from "settings_file_base64" + description: |- + The IDP URL, derived from "settings_file_base64" The IDP URL, derived from "settings_file_base64" type: string methodId: - description: Method ID. Method ID. + description: |- + Method ID. + Method ID. type: string mountAccessor: - description: Mount accessor. Mount accessor. + description: |- + Mount accessor. + Mount accessor. type: string name: description: Method name. type: string namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string namespaceId: - description: Method's namespace ID. Method's namespace ID. + description: |- + Method's namespace ID. + Method's namespace ID. type: string namespacePath: - description: Method's namespace path. Method's namespace path. + description: |- + Method's namespace path. + Method's namespace path. type: string orgAlias: - description: The name of the PingID client organization, derived - from "settings_file_base64" The name of the PingID client organization, - derived from "settings_file_base64" + description: |- + The name of the PingID client organization, derived from "settings_file_base64" + The name of the PingID client organization, derived from "settings_file_base64" type: string settingsFileBase64: - description: A base64-encoded third-party settings contents as - retrieved from PingID's configuration page. A base64-encoded - third-party settings contents as retrieved from PingID's configuration - page. + description: |- + A base64-encoded third-party settings contents as retrieved from PingID's configuration page. + A base64-encoded third-party settings contents as retrieved from PingID's configuration page. type: string type: - description: MFA type. MFA type. + description: |- + MFA type. + MFA type. type: string useSignature: - description: Use signature value, derived from "settings_file_base64" + description: |- + Use signature value, derived from "settings_file_base64" Use signature value, derived from "settings_file_base64" type: boolean usernameFormat: - description: A template string for mapping Identity names to MFA - methods. A template string for mapping Identity names to MFA - methods. + description: |- + A template string for mapping Identity names to MFA methods. + A template string for mapping Identity names to MFA methods. type: string uuid: - description: Resource UUID. Resource UUID. + description: |- + Resource UUID. + Resource UUID. type: string type: object conditions: @@ -386,14 +377,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -403,8 +403,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -413,6 +414,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_mfatotps.yaml b/package/crds/identity.vault.upbound.io_mfatotps.yaml index 27a90434..493fd461 100644 --- a/package/crds/identity.vault.upbound.io_mfatotps.yaml +++ b/package/crds/identity.vault.upbound.io_mfatotps.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: mfatotps.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: the totp MFA method. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,123 +74,128 @@ spec: forProvider: properties: algorithm: - description: Specifies the hashing algorithm used to generate - the TOTP code. Options include SHA1, SHA256, SHA512. Specifies - the hashing algorithm used to generate the TOTP code. Options - include SHA1, SHA256, SHA512. + description: |- + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. type: string digits: - description: The number of digits in the generated TOTP token. - This value can either be 6 or 8 The number of digits in the - generated TOTP token. This value can either be 6 or 8 + description: |- + The number of digits in the generated TOTP token. This value can either be 6 or 8 + The number of digits in the generated TOTP token. This value can either be 6 or 8 type: number issuer: - description: The name of the key's issuing organization. The name - of the key's issuing organization. + description: |- + The name of the key's issuing organization. + The name of the key's issuing organization. type: string keySize: - description: Specifies the size in bytes of the generated key. + description: |- + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. type: number maxValidationAttempts: - description: The maximum number of consecutive failed validation - attempts allowed. The maximum number of consecutive failed validation - attempts allowed. + description: |- + The maximum number of consecutive failed validation attempts allowed. + The maximum number of consecutive failed validation attempts allowed. type: number namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string period: - description: The length of time in seconds used to generate a - counter for the TOTP token calculation. The length of time in - seconds used to generate a counter for the TOTP token calculation. + description: |- + The length of time in seconds used to generate a counter for the TOTP token calculation. + The length of time in seconds used to generate a counter for the TOTP token calculation. type: number qrSize: - description: The pixel size of the generated square QR code. The - pixel size of the generated square QR code. + description: |- + The pixel size of the generated square QR code. + The pixel size of the generated square QR code. type: number skew: - description: The number of delay periods that are allowed when - validating a TOTP token. This value can either be 0 or 1. The - number of delay periods that are allowed when validating a TOTP - token. This value can either be 0 or 1. + description: |- + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: algorithm: - description: Specifies the hashing algorithm used to generate - the TOTP code. Options include SHA1, SHA256, SHA512. Specifies - the hashing algorithm used to generate the TOTP code. Options - include SHA1, SHA256, SHA512. + description: |- + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. type: string digits: - description: The number of digits in the generated TOTP token. - This value can either be 6 or 8 The number of digits in the - generated TOTP token. This value can either be 6 or 8 + description: |- + The number of digits in the generated TOTP token. This value can either be 6 or 8 + The number of digits in the generated TOTP token. This value can either be 6 or 8 type: number issuer: - description: The name of the key's issuing organization. The name - of the key's issuing organization. + description: |- + The name of the key's issuing organization. + The name of the key's issuing organization. type: string keySize: - description: Specifies the size in bytes of the generated key. + description: |- + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. type: number maxValidationAttempts: - description: The maximum number of consecutive failed validation - attempts allowed. The maximum number of consecutive failed validation - attempts allowed. + description: |- + The maximum number of consecutive failed validation attempts allowed. + The maximum number of consecutive failed validation attempts allowed. type: number namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string period: - description: The length of time in seconds used to generate a - counter for the TOTP token calculation. The length of time in - seconds used to generate a counter for the TOTP token calculation. + description: |- + The length of time in seconds used to generate a counter for the TOTP token calculation. + The length of time in seconds used to generate a counter for the TOTP token calculation. type: number qrSize: - description: The pixel size of the generated square QR code. The - pixel size of the generated square QR code. + description: |- + The pixel size of the generated square QR code. + The pixel size of the generated square QR code. type: number skew: - description: The number of delay periods that are allowed when - validating a TOTP token. This value can either be 0 or 1. The - number of delay periods that are allowed when validating a TOTP - token. This value can either be 0 or 1. + description: |- + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -197,9 +208,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -209,57 +221,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -269,17 +245,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -289,21 +267,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -318,21 +296,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -343,14 +322,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -366,80 +346,94 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: issuer is a required parameter + - message: spec.forProvider.issuer is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.issuer) - || has(self.initProvider.issuer)' + || (has(self.initProvider) && has(self.initProvider.issuer))' status: description: MfaTotpStatus defines the observed state of MfaTotp. properties: atProvider: properties: algorithm: - description: Specifies the hashing algorithm used to generate - the TOTP code. Options include SHA1, SHA256, SHA512. Specifies - the hashing algorithm used to generate the TOTP code. Options - include SHA1, SHA256, SHA512. + description: |- + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. type: string digits: - description: The number of digits in the generated TOTP token. - This value can either be 6 or 8 The number of digits in the - generated TOTP token. This value can either be 6 or 8 + description: |- + The number of digits in the generated TOTP token. This value can either be 6 or 8 + The number of digits in the generated TOTP token. This value can either be 6 or 8 type: number id: type: string issuer: - description: The name of the key's issuing organization. The name - of the key's issuing organization. + description: |- + The name of the key's issuing organization. + The name of the key's issuing organization. type: string keySize: - description: Specifies the size in bytes of the generated key. + description: |- + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. type: number maxValidationAttempts: - description: The maximum number of consecutive failed validation - attempts allowed. The maximum number of consecutive failed validation - attempts allowed. + description: |- + The maximum number of consecutive failed validation attempts allowed. + The maximum number of consecutive failed validation attempts allowed. type: number methodId: - description: Method ID. Method ID. + description: |- + Method ID. + Method ID. type: string mountAccessor: - description: Mount accessor. Mount accessor. + description: |- + Mount accessor. + Mount accessor. type: string name: description: Method name. type: string namespace: - description: Target namespace. (requires Enterprise) Target namespace. - (requires Enterprise) + description: |- + Target namespace. (requires Enterprise) + Target namespace. (requires Enterprise) type: string namespaceId: - description: Method's namespace ID. Method's namespace ID. + description: |- + Method's namespace ID. + Method's namespace ID. type: string namespacePath: - description: Method's namespace path. Method's namespace path. + description: |- + Method's namespace path. + Method's namespace path. type: string period: - description: The length of time in seconds used to generate a - counter for the TOTP token calculation. The length of time in - seconds used to generate a counter for the TOTP token calculation. + description: |- + The length of time in seconds used to generate a counter for the TOTP token calculation. + The length of time in seconds used to generate a counter for the TOTP token calculation. type: number qrSize: - description: The pixel size of the generated square QR code. The - pixel size of the generated square QR code. + description: |- + The pixel size of the generated square QR code. + The pixel size of the generated square QR code. type: number skew: - description: The number of delay periods that are allowed when - validating a TOTP token. This value can either be 0 or 1. The - number of delay periods that are allowed when validating a TOTP - token. This value can either be 0 or 1. + description: |- + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. type: number type: - description: MFA type. MFA type. + description: |- + MFA type. + MFA type. type: string uuid: - description: Resource UUID. Resource UUID. + description: |- + Resource UUID. + Resource UUID. type: string type: object conditions: @@ -448,14 +442,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -465,8 +468,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -475,6 +479,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_oidcassignments.yaml b/package/crds/identity.vault.upbound.io_oidcassignments.yaml index 924cd048..6ae027ba 100644 --- a/package/crds/identity.vault.upbound.io_oidcassignments.yaml +++ b/package/crds/identity.vault.upbound.io_oidcassignments.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcassignments.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: OIDC Assignments in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,79 +74,96 @@ spec: forProvider: properties: entityIds: - description: A set of Vault entity IDs. A list of Vault entity - IDs. + description: |- + A set of Vault entity IDs. + A list of Vault entity IDs. items: type: string type: array + x-kubernetes-list-type: set groupIds: - description: A set of Vault group IDs. A list of Vault group IDs. + description: |- + A set of Vault group IDs. + A list of Vault group IDs. items: type: string type: array + x-kubernetes-list-type: set name: - description: The name of the assignment. The name of the assignment. + description: |- + The name of the assignment. + The name of the assignment. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: entityIds: - description: A set of Vault entity IDs. A list of Vault entity - IDs. + description: |- + A set of Vault entity IDs. + A list of Vault entity IDs. items: type: string type: array + x-kubernetes-list-type: set groupIds: - description: A set of Vault group IDs. A list of Vault group IDs. + description: |- + A set of Vault group IDs. + A list of Vault group IDs. items: type: string type: array + x-kubernetes-list-type: set name: - description: The name of the assignment. The name of the assignment. + description: |- + The name of the assignment. + The name of the assignment. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -153,45 +176,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -201,21 +189,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -225,17 +213,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -245,21 +235,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -274,21 +264,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -299,14 +290,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -322,37 +314,45 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: OidcAssignmentStatus defines the observed state of OidcAssignment. properties: atProvider: properties: entityIds: - description: A set of Vault entity IDs. A list of Vault entity - IDs. + description: |- + A set of Vault entity IDs. + A list of Vault entity IDs. items: type: string type: array + x-kubernetes-list-type: set groupIds: - description: A set of Vault group IDs. A list of Vault group IDs. + description: |- + A set of Vault group IDs. + A list of Vault group IDs. items: type: string type: array + x-kubernetes-list-type: set id: type: string name: - description: The name of the assignment. The name of the assignment. + description: |- + The name of the assignment. + The name of the assignment. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -361,14 +361,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -378,8 +387,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -388,6 +398,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_oidcclients.yaml b/package/crds/identity.vault.upbound.io_oidcclients.yaml index c51d1003..7e921999 100644 --- a/package/crds/identity.vault.upbound.io_oidcclients.yaml +++ b/package/crds/identity.vault.upbound.io_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Clients in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,133 +74,148 @@ spec: forProvider: properties: accessTokenTtl: - description: The time-to-live for access tokens obtained by the - client. The time-to-live for access tokens obtained by the client. + description: |- + The time-to-live for access tokens obtained by the client. + The time-to-live for access tokens obtained by the client. type: number assignments: - description: A list of assignment resources associated with the - client. A list of assignment resources associated with the client. + description: |- + A list of assignment resources associated with the client. + A list of assignment resources associated with the client. items: type: string type: array + x-kubernetes-list-type: set clientType: - description: 'The client type based on its ability to maintain - confidentiality of credentials. The following client types are - supported: confidential, public. Defaults to confidential. The - client type based on its ability to maintain confidentiality - of credentials.Defaults to ''confidential''.' + description: |- + The client type based on its ability to maintain confidentiality of credentials. + The following client types are supported: confidential, public. Defaults to confidential. + The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'. type: string idTokenTtl: - description: The time-to-live for ID tokens obtained by the client. + description: |- + The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. - The time-to-live for ID tokens obtained by the client. The value - should be less than the verification_ttl on the key. + The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. type: number key: - description: A reference to a named key resource in Vault. This - cannot be modified after creation. If not provided, the default - key is used. A reference to a named key resource in Vault. This - cannot be modified after creation. + description: |- + A reference to a named key resource in Vault. + This cannot be modified after creation. If not provided, the default + key is used. + A reference to a named key resource in Vault. This cannot be modified after creation. type: string name: - description: The name of the client. The name of the client. + description: |- + The name of the client. + The name of the client. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string redirectUris: - description: Redirection URI values used by the client. One of - these values must exactly match the redirect_uri parameter value - used in each authentication request. Redirection URI values - used by the client. One of these values must exactly match the - redirect_uri parameter value used in each authentication request. + description: |- + Redirection URI values used by the client. + One of these values must exactly match the redirect_uri parameter value + used in each authentication request. + Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. items: type: string type: array + x-kubernetes-list-type: set type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: accessTokenTtl: - description: The time-to-live for access tokens obtained by the - client. The time-to-live for access tokens obtained by the client. + description: |- + The time-to-live for access tokens obtained by the client. + The time-to-live for access tokens obtained by the client. type: number assignments: - description: A list of assignment resources associated with the - client. A list of assignment resources associated with the client. + description: |- + A list of assignment resources associated with the client. + A list of assignment resources associated with the client. items: type: string type: array + x-kubernetes-list-type: set clientType: - description: 'The client type based on its ability to maintain - confidentiality of credentials. The following client types are - supported: confidential, public. Defaults to confidential. The - client type based on its ability to maintain confidentiality - of credentials.Defaults to ''confidential''.' + description: |- + The client type based on its ability to maintain confidentiality of credentials. + The following client types are supported: confidential, public. Defaults to confidential. + The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'. type: string idTokenTtl: - description: The time-to-live for ID tokens obtained by the client. + description: |- + The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. - The time-to-live for ID tokens obtained by the client. The value - should be less than the verification_ttl on the key. + The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. type: number key: - description: A reference to a named key resource in Vault. This - cannot be modified after creation. If not provided, the default - key is used. A reference to a named key resource in Vault. This - cannot be modified after creation. + description: |- + A reference to a named key resource in Vault. + This cannot be modified after creation. If not provided, the default + key is used. + A reference to a named key resource in Vault. This cannot be modified after creation. type: string name: - description: The name of the client. The name of the client. + description: |- + The name of the client. + The name of the client. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string redirectUris: - description: Redirection URI values used by the client. One of - these values must exactly match the redirect_uri parameter value - used in each authentication request. Redirection URI values - used by the client. One of these values must exactly match the - redirect_uri parameter value used in each authentication request. + description: |- + Redirection URI values used by the client. + One of these values must exactly match the redirect_uri parameter value + used in each authentication request. + Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. items: type: string type: array + x-kubernetes-list-type: set type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -207,45 +228,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -255,21 +241,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -279,17 +265,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -299,21 +287,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -328,21 +316,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -353,14 +342,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -376,68 +366,77 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: OidcClientStatus defines the observed state of OidcClient. properties: atProvider: properties: accessTokenTtl: - description: The time-to-live for access tokens obtained by the - client. The time-to-live for access tokens obtained by the client. + description: |- + The time-to-live for access tokens obtained by the client. + The time-to-live for access tokens obtained by the client. type: number assignments: - description: A list of assignment resources associated with the - client. A list of assignment resources associated with the client. + description: |- + A list of assignment resources associated with the client. + A list of assignment resources associated with the client. items: type: string type: array + x-kubernetes-list-type: set clientId: - description: The Client ID from Vault. + description: |- + The Client ID returned by Vault. + The Client ID from Vault. type: string clientType: - description: 'The client type based on its ability to maintain - confidentiality of credentials. The following client types are - supported: confidential, public. Defaults to confidential. The - client type based on its ability to maintain confidentiality - of credentials.Defaults to ''confidential''.' + description: |- + The client type based on its ability to maintain confidentiality of credentials. + The following client types are supported: confidential, public. Defaults to confidential. + The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'. type: string id: type: string idTokenTtl: - description: The time-to-live for ID tokens obtained by the client. + description: |- + The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. - The time-to-live for ID tokens obtained by the client. The value - should be less than the verification_ttl on the key. + The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. type: number key: - description: A reference to a named key resource in Vault. This - cannot be modified after creation. If not provided, the default - key is used. A reference to a named key resource in Vault. This - cannot be modified after creation. + description: |- + A reference to a named key resource in Vault. + This cannot be modified after creation. If not provided, the default + key is used. + A reference to a named key resource in Vault. This cannot be modified after creation. type: string name: - description: The name of the client. The name of the client. + description: |- + The name of the client. + The name of the client. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string redirectUris: - description: Redirection URI values used by the client. One of - these values must exactly match the redirect_uri parameter value - used in each authentication request. Redirection URI values - used by the client. One of these values must exactly match the - redirect_uri parameter value used in each authentication request. + description: |- + Redirection URI values used by the client. + One of these values must exactly match the redirect_uri parameter value + used in each authentication request. + Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. items: type: string type: array + x-kubernetes-list-type: set type: object conditions: description: Conditions of the resource. @@ -445,14 +444,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -462,8 +470,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -472,6 +481,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_oidckeyallowedclientids.yaml b/package/crds/identity.vault.upbound.io_oidckeyallowedclientids.yaml index 12ba82e4..70ded280 100644 --- a/package/crds/identity.vault.upbound.io_oidckeyallowedclientids.yaml +++ b/package/crds/identity.vault.upbound.io_oidckeyallowedclientids.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidckeyallowedclientids.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Allows an Identity OIDC Role to use an OIDC Named key. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,67 +74,370 @@ spec: forProvider: properties: allowedClientId: - description: Client ID to allow usage with the OIDC named key + description: |- + Client ID to allow usage with the OIDC named key Role Client ID allowed to use the key for signing. type: string + allowedClientIdRef: + description: Reference to a OidcRole in identity to populate allowedClientId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + allowedClientIdSelector: + description: Selector for a OidcRole in identity to populate allowedClientId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object keyName: - description: Name of the OIDC Key allow the Client ID. Name of - the key. + description: |- + Name of the OIDC Key allow the Client ID. + Name of the key. type: string + keyNameRef: + description: Reference to a OidcKey in identity to populate keyName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + keyNameSelector: + description: Selector for a OidcKey in identity to populate keyName. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowedClientId: - description: Client ID to allow usage with the OIDC named key + description: |- + Client ID to allow usage with the OIDC named key Role Client ID allowed to use the key for signing. type: string + allowedClientIdRef: + description: Reference to a OidcRole in identity to populate allowedClientId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + allowedClientIdSelector: + description: Selector for a OidcRole in identity to populate allowedClientId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object keyName: - description: Name of the OIDC Key allow the Client ID. Name of - the key. + description: |- + Name of the OIDC Key allow the Client ID. + Name of the key. type: string + keyNameRef: + description: Reference to a OidcKey in identity to populate keyName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + keyNameSelector: + description: Selector for a OidcKey in identity to populate keyName. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -141,45 +450,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -189,21 +463,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -213,17 +487,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -233,21 +509,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -262,21 +538,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -287,14 +564,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -309,15 +587,6 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: allowedClientId is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.allowedClientId) - || has(self.initProvider.allowedClientId)' - - message: keyName is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.keyName) - || has(self.initProvider.keyName)' status: description: OidcKeyAllowedClientIDStatus defines the observed state of OidcKeyAllowedClientID. @@ -325,21 +594,24 @@ spec: atProvider: properties: allowedClientId: - description: Client ID to allow usage with the OIDC named key + description: |- + Client ID to allow usage with the OIDC named key Role Client ID allowed to use the key for signing. type: string id: type: string keyName: - description: Name of the OIDC Key allow the Client ID. Name of - the key. + description: |- + Name of the OIDC Key allow the Client ID. + Name of the key. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -348,14 +620,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -365,8 +646,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -375,6 +657,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_oidckeys.yaml b/package/crds/identity.vault.upbound.io_oidckeys.yaml index d425439f..f3345509 100644 --- a/package/crds/identity.vault.upbound.io_oidckeys.yaml +++ b/package/crds/identity.vault.upbound.io_oidckeys.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidckeys.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: OIDC Named Key for Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,111 +74,116 @@ spec: forProvider: properties: algorithm: - description: 'Signing algorithm to use. Signing algorithm to use. - Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, - ES512, EdDSA. Signing algorithm to use. Signing algorithm to - use. Allowed values are: RS256 (default), RS384, RS512, ES256, - ES384, ES512, EdDSA.' + description: |- + Signing algorithm to use. Signing algorithm to use. + Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. + Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. type: string allowedClientIds: - description: ': Array of role client ID allowed to use this key - for signing. If empty, no roles are allowed. If ["*"], all roles - are allowed. Array of role client ids allowed to use this key - for signing. If empty, no roles are allowed. If "*", all roles - are allowed.' + description: |- + : Array of role client ID allowed to use this key for signing. If + empty, no roles are allowed. If ["*"], all roles are allowed. + Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed. items: type: string type: array + x-kubernetes-list-type: set name: - description: Name of the OIDC Key to create. Name of the key. + description: |- + Name of the OIDC Key to create. + Name of the key. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string rotationPeriod: - description: How often to generate a new signing key in number - of seconds How often to generate a new signing key in number - of seconds + description: |- + How often to generate a new signing key in number of seconds + How often to generate a new signing key in number of seconds type: number verificationTtl: - description: '"Controls how long the public portion of a signing - key will be available for verification after being rotated in - seconds. Controls how long the public portion of a signing key - will be available for verification after being rotated in seconds.' + description: |- + "Controls how long the public portion of a signing key will be + available for verification after being rotated in seconds. + Controls how long the public portion of a signing key will be available for verification after being rotated in seconds. type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: algorithm: - description: 'Signing algorithm to use. Signing algorithm to use. - Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, - ES512, EdDSA. Signing algorithm to use. Signing algorithm to - use. Allowed values are: RS256 (default), RS384, RS512, ES256, - ES384, ES512, EdDSA.' + description: |- + Signing algorithm to use. Signing algorithm to use. + Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. + Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. type: string allowedClientIds: - description: ': Array of role client ID allowed to use this key - for signing. If empty, no roles are allowed. If ["*"], all roles - are allowed. Array of role client ids allowed to use this key - for signing. If empty, no roles are allowed. If "*", all roles - are allowed.' + description: |- + : Array of role client ID allowed to use this key for signing. If + empty, no roles are allowed. If ["*"], all roles are allowed. + Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed. items: type: string type: array + x-kubernetes-list-type: set name: - description: Name of the OIDC Key to create. Name of the key. + description: |- + Name of the OIDC Key to create. + Name of the key. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string rotationPeriod: - description: How often to generate a new signing key in number - of seconds How often to generate a new signing key in number - of seconds + description: |- + How often to generate a new signing key in number of seconds + How often to generate a new signing key in number of seconds type: number verificationTtl: - description: '"Controls how long the public portion of a signing - key will be available for verification after being rotated in - seconds. Controls how long the public portion of a signing key - will be available for verification after being rotated in seconds.' + description: |- + "Controls how long the public portion of a signing key will be + available for verification after being rotated in seconds. + Controls how long the public portion of a signing key will be available for verification after being rotated in seconds. type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -185,45 +196,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -233,21 +209,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -257,17 +233,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -277,21 +255,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -306,21 +284,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -331,14 +310,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -354,54 +334,56 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: OidcKeyStatus defines the observed state of OidcKey. properties: atProvider: properties: algorithm: - description: 'Signing algorithm to use. Signing algorithm to use. - Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, - ES512, EdDSA. Signing algorithm to use. Signing algorithm to - use. Allowed values are: RS256 (default), RS384, RS512, ES256, - ES384, ES512, EdDSA.' + description: |- + Signing algorithm to use. Signing algorithm to use. + Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. + Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. type: string allowedClientIds: - description: ': Array of role client ID allowed to use this key - for signing. If empty, no roles are allowed. If ["*"], all roles - are allowed. Array of role client ids allowed to use this key - for signing. If empty, no roles are allowed. If "*", all roles - are allowed.' + description: |- + : Array of role client ID allowed to use this key for signing. If + empty, no roles are allowed. If ["*"], all roles are allowed. + Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed. items: type: string type: array + x-kubernetes-list-type: set id: description: The name of the created key. type: string name: - description: Name of the OIDC Key to create. Name of the key. + description: |- + Name of the OIDC Key to create. + Name of the key. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string rotationPeriod: - description: How often to generate a new signing key in number - of seconds How often to generate a new signing key in number - of seconds + description: |- + How often to generate a new signing key in number of seconds + How often to generate a new signing key in number of seconds type: number verificationTtl: - description: '"Controls how long the public portion of a signing - key will be available for verification after being rotated in - seconds. Controls how long the public portion of a signing key - will be available for verification after being rotated in seconds.' + description: |- + "Controls how long the public portion of a signing key will be + available for verification after being rotated in seconds. + Controls how long the public portion of a signing key will be available for verification after being rotated in seconds. type: number type: object conditions: @@ -410,14 +392,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -427,8 +418,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -437,6 +429,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_oidcproviders.yaml b/package/crds/identity.vault.upbound.io_oidcproviders.yaml index 7f6d2a00..f3e0d164 100644 --- a/package/crds/identity.vault.upbound.io_oidcproviders.yaml +++ b/package/crds/identity.vault.upbound.io_oidcproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcproviders.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: OIDC Providers in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,101 +74,118 @@ spec: forProvider: properties: allowedClientIds: - description: The client IDs that are permitted to use the provider. + description: |- + The client IDs that are permitted to use the provider. If empty, no clients are allowed. If *, all clients are allowed. - The client IDs that are permitted to use the provider. If empty, - no clients are allowed. If "*", all clients are allowed. + The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed. items: type: string type: array + x-kubernetes-list-type: set httpsEnabled: - description: Set to true if the issuer endpoint uses HTTPS. Set - to true if the issuer endpoint uses HTTPS. + description: |- + Set to true if the issuer endpoint uses HTTPS. + Set to true if the issuer endpoint uses HTTPS. type: boolean issuerHost: - description: The host for the issuer. Can be either host or host:port. + description: |- + The host for the issuer. Can be either host or host:port. The host for the issuer. Can be either host or host:port. type: string name: - description: The name of the provider. The name of the provider. + description: |- + The name of the provider. + The name of the provider. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string scopesSupported: - description: The scopes available for requesting on the provider. + description: |- + The scopes available for requesting on the provider. The scopes available for requesting on the provider. items: type: string type: array + x-kubernetes-list-type: set type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowedClientIds: - description: The client IDs that are permitted to use the provider. + description: |- + The client IDs that are permitted to use the provider. If empty, no clients are allowed. If *, all clients are allowed. - The client IDs that are permitted to use the provider. If empty, - no clients are allowed. If "*", all clients are allowed. + The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed. items: type: string type: array + x-kubernetes-list-type: set httpsEnabled: - description: Set to true if the issuer endpoint uses HTTPS. Set - to true if the issuer endpoint uses HTTPS. + description: |- + Set to true if the issuer endpoint uses HTTPS. + Set to true if the issuer endpoint uses HTTPS. type: boolean issuerHost: - description: The host for the issuer. Can be either host or host:port. + description: |- + The host for the issuer. Can be either host or host:port. The host for the issuer. Can be either host or host:port. type: string name: - description: The name of the provider. The name of the provider. + description: |- + The name of the provider. + The name of the provider. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string scopesSupported: - description: The scopes available for requesting on the provider. + description: |- + The scopes available for requesting on the provider. The scopes available for requesting on the provider. items: type: string type: array + x-kubernetes-list-type: set type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -175,45 +198,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -223,21 +211,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -247,17 +235,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -267,21 +257,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -296,21 +286,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -321,14 +312,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -344,57 +336,64 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: OidcProviderStatus defines the observed state of OidcProvider. properties: atProvider: properties: allowedClientIds: - description: The client IDs that are permitted to use the provider. + description: |- + The client IDs that are permitted to use the provider. If empty, no clients are allowed. If *, all clients are allowed. - The client IDs that are permitted to use the provider. If empty, - no clients are allowed. If "*", all clients are allowed. + The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed. items: type: string type: array + x-kubernetes-list-type: set httpsEnabled: - description: Set to true if the issuer endpoint uses HTTPS. Set - to true if the issuer endpoint uses HTTPS. + description: |- + Set to true if the issuer endpoint uses HTTPS. + Set to true if the issuer endpoint uses HTTPS. type: boolean id: type: string issuer: - description: Specifies what will be used as the scheme://host:port - component for the iss claim of ID tokens. This value is computed - using the issuer_host and https_enabled fields. Specifies what - will be used as the 'scheme://host:port' component for the 'iss' - claim of ID tokens.This value is computed using the issuer_host - and https_enabled fields. + description: |- + Specifies what will be used as the scheme://host:port + component for the iss claim of ID tokens. This value is computed using the + issuer_host and https_enabled fields. + Specifies what will be used as the 'scheme://host:port' component for the 'iss' claim of ID tokens.This value is computed using the issuer_host and https_enabled fields. type: string issuerHost: - description: The host for the issuer. Can be either host or host:port. + description: |- + The host for the issuer. Can be either host or host:port. The host for the issuer. Can be either host or host:port. type: string name: - description: The name of the provider. The name of the provider. + description: |- + The name of the provider. + The name of the provider. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string scopesSupported: - description: The scopes available for requesting on the provider. + description: |- + The scopes available for requesting on the provider. The scopes available for requesting on the provider. items: type: string type: array + x-kubernetes-list-type: set type: object conditions: description: Conditions of the resource. @@ -402,14 +401,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -419,8 +427,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -429,6 +438,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_oidcroles.yaml b/package/crds/identity.vault.upbound.io_oidcroles.yaml index ba643f34..b5ed0516 100644 --- a/package/crds/identity.vault.upbound.io_oidcroles.yaml +++ b/package/crds/identity.vault.upbound.io_oidcroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcroles.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: OIDC Role for Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,101 +74,262 @@ spec: forProvider: properties: clientId: - description: The value that will be included in the aud field - of all the OIDC identity tokens issued by this role The value - that will be included in the `aud` field of all the OIDC identity + description: |- + The value that will be included in the aud field of all the OIDC identity tokens issued by this role + The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role type: string key: - description: A configured named key, the key must already exist - before tokens can be issued. A configured named key, the key - must already exist. + description: |- + A configured named key, the key must already exist + before tokens can be issued. + A configured named key, the key must already exist. type: string + keyRef: + description: Reference to a OidcKey in identity to populate key. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + keySelector: + description: Selector for a OidcKey in identity to populate key. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: Name of the OIDC Role to create. Name of the role. + description: |- + Name of the OIDC Role to create. + Name of the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string template: - description: The template string to use for generating tokens. - This may be in string-ified JSON or base64 format. See the documentation - for the template format. The template string to use for generating - tokens. This may be in string-ified JSON or base64 format. + description: |- + The template string to use for generating tokens. This may be in + string-ified JSON or base64 format. See the + documentation + for the template format. + The template string to use for generating tokens. This may be in string-ified JSON or base64 format. type: string ttl: - description: TTL of the tokens generated against the role in number - of seconds. TTL of the tokens generated against the role in - number of seconds. + description: |- + TTL of the tokens generated against the role in number of seconds. + TTL of the tokens generated against the role in number of seconds. type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: clientId: - description: The value that will be included in the aud field - of all the OIDC identity tokens issued by this role The value - that will be included in the `aud` field of all the OIDC identity + description: |- + The value that will be included in the aud field of all the OIDC identity tokens issued by this role + The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role type: string key: - description: A configured named key, the key must already exist - before tokens can be issued. A configured named key, the key - must already exist. + description: |- + A configured named key, the key must already exist + before tokens can be issued. + A configured named key, the key must already exist. type: string + keyRef: + description: Reference to a OidcKey in identity to populate key. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + keySelector: + description: Selector for a OidcKey in identity to populate key. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: Name of the OIDC Role to create. Name of the role. + description: |- + Name of the OIDC Role to create. + Name of the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string template: - description: The template string to use for generating tokens. - This may be in string-ified JSON or base64 format. See the documentation - for the template format. The template string to use for generating - tokens. This may be in string-ified JSON or base64 format. + description: |- + The template string to use for generating tokens. This may be in + string-ified JSON or base64 format. See the + documentation + for the template format. + The template string to use for generating tokens. This may be in string-ified JSON or base64 format. type: string ttl: - description: TTL of the tokens generated against the role in number - of seconds. TTL of the tokens generated against the role in - number of seconds. + description: |- + TTL of the tokens generated against the role in number of seconds. + TTL of the tokens generated against the role in number of seconds. type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -175,9 +342,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -187,57 +355,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -247,17 +379,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -267,21 +401,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -296,21 +430,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -321,14 +456,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -344,53 +480,55 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: key is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.key) - || has(self.initProvider.key)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: OidcRoleStatus defines the observed state of OidcRole. properties: atProvider: properties: clientId: - description: The value that will be included in the aud field - of all the OIDC identity tokens issued by this role The value - that will be included in the `aud` field of all the OIDC identity + description: |- + The value that will be included in the aud field of all the OIDC identity tokens issued by this role + The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role type: string id: description: The name of the created role. type: string key: - description: A configured named key, the key must already exist - before tokens can be issued. A configured named key, the key - must already exist. + description: |- + A configured named key, the key must already exist + before tokens can be issued. + A configured named key, the key must already exist. type: string name: - description: Name of the OIDC Role to create. Name of the role. + description: |- + Name of the OIDC Role to create. + Name of the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string template: - description: The template string to use for generating tokens. - This may be in string-ified JSON or base64 format. See the documentation - for the template format. The template string to use for generating - tokens. This may be in string-ified JSON or base64 format. + description: |- + The template string to use for generating tokens. This may be in + string-ified JSON or base64 format. See the + documentation + for the template format. + The template string to use for generating tokens. This may be in string-ified JSON or base64 format. type: string ttl: - description: TTL of the tokens generated against the role in number - of seconds. TTL of the tokens generated against the role in - number of seconds. + description: |- + TTL of the tokens generated against the role in number of seconds. + TTL of the tokens generated against the role in number of seconds. type: number type: object conditions: @@ -399,14 +537,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -416,8 +563,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -426,6 +574,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_oidcs.yaml b/package/crds/identity.vault.upbound.io_oidcs.yaml index 5f04d9b3..2f7a8932 100644 --- a/package/crds/identity.vault.upbound.io_oidcs.yaml +++ b/package/crds/identity.vault.upbound.io_oidcs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcs.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Tokens Backend for Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,73 +74,70 @@ spec: forProvider: properties: issuer: - description: Issuer URL to be used in the iss claim of the token. - If not set, Vault's api_addr will be used. The issuer is a case - sensitive URL using the https scheme that contains scheme, host, - and optionally, port number and path components, but no query - or fragment components. Issuer URL to be used in the iss claim - of the token. If not set, Vault's api_addr will be used. The - issuer is a case sensitive URL using the https scheme that contains - scheme, host, and optionally, port number and path components, - but no query or fragment components. + description: |- + Issuer URL to be used in the iss claim of the token. If not set, Vault's + api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains + scheme, host, and optionally, port number and path components, but no query or fragment + components. + Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: issuer: - description: Issuer URL to be used in the iss claim of the token. - If not set, Vault's api_addr will be used. The issuer is a case - sensitive URL using the https scheme that contains scheme, host, - and optionally, port number and path components, but no query - or fragment components. Issuer URL to be used in the iss claim - of the token. If not set, Vault's api_addr will be used. The - issuer is a case sensitive URL using the https scheme that contains - scheme, host, and optionally, port number and path components, - but no query or fragment components. + description: |- + Issuer URL to be used in the iss claim of the token. If not set, Vault's + api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains + scheme, host, and optionally, port number and path components, but no query or fragment + components. + Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -147,45 +150,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -195,21 +163,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -219,17 +187,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -239,21 +209,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -268,21 +238,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -293,14 +264,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -323,22 +295,20 @@ spec: id: type: string issuer: - description: Issuer URL to be used in the iss claim of the token. - If not set, Vault's api_addr will be used. The issuer is a case - sensitive URL using the https scheme that contains scheme, host, - and optionally, port number and path components, but no query - or fragment components. Issuer URL to be used in the iss claim - of the token. If not set, Vault's api_addr will be used. The - issuer is a case sensitive URL using the https scheme that contains - scheme, host, and optionally, port number and path components, - but no query or fragment components. + description: |- + Issuer URL to be used in the iss claim of the token. If not set, Vault's + api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains + scheme, host, and optionally, port number and path components, but no query or fragment + components. + Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -347,14 +317,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -364,8 +343,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -374,6 +354,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/identity.vault.upbound.io_oidcscopes.yaml b/package/crds/identity.vault.upbound.io_oidcscopes.yaml index 9e4e9b57..500a1ea0 100644 --- a/package/crds/identity.vault.upbound.io_oidcscopes.yaml +++ b/package/crds/identity.vault.upbound.io_oidcscopes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcscopes.identity.vault.upbound.io spec: group: identity.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Scopes in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,77 +74,84 @@ spec: forProvider: properties: description: - description: A description of the scope. The scope's description. + description: |- + A description of the scope. + The scope's description. type: string name: - description: The name of the scope. The openid scope name is reserved. + description: |- + The name of the scope. The openid scope name is reserved. The name of the scope. The openid scope name is reserved. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string template: - description: The template string for the scope. This may be provided - as escaped JSON or base64 encoded JSON. The template string - for the scope. This may be provided as escaped JSON or base64 - encoded JSON. + description: |- + The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. + The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: description: - description: A description of the scope. The scope's description. + description: |- + A description of the scope. + The scope's description. type: string name: - description: The name of the scope. The openid scope name is reserved. + description: |- + The name of the scope. The openid scope name is reserved. The name of the scope. The openid scope name is reserved. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string template: - description: The template string for the scope. This may be provided - as escaped JSON or base64 encoded JSON. The template string - for the scope. This may be provided as escaped JSON or base64 - encoded JSON. + description: |- + The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. + The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -151,9 +164,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -163,57 +177,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -223,17 +201,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -243,21 +223,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -272,21 +252,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -297,14 +278,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -320,36 +302,39 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: OidcScopeStatus defines the observed state of OidcScope. properties: atProvider: properties: description: - description: A description of the scope. The scope's description. + description: |- + A description of the scope. + The scope's description. type: string id: type: string name: - description: The name of the scope. The openid scope name is reserved. + description: |- + The name of the scope. The openid scope name is reserved. The name of the scope. The openid scope name is reserved. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string template: - description: The template string for the scope. This may be provided - as escaped JSON or base64 encoded JSON. The template string - for the scope. This may be provided as escaped JSON or base64 - encoded JSON. + description: |- + The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. + The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. type: string type: object conditions: @@ -358,14 +343,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -375,8 +369,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -385,6 +380,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/jwt.vault.upbound.io_authbackendroles.yaml b/package/crds/jwt.vault.upbound.io_authbackendroles.yaml index 9b74d214..0c9b8006 100644 --- a/package/crds/jwt.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/jwt.vault.upbound.io_authbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroles.jwt.vault.upbound.io spec: group: jwt.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: JWT/OIDC auth backend roles in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,431 +74,608 @@ spec: forProvider: properties: allowedRedirectUris: - description: The list of allowed values for redirect_uri during - OIDC logins. Required for OIDC roles The list of allowed values - for redirect_uri during OIDC logins. + description: |- + The list of allowed values for redirect_uri during OIDC logins. + Required for OIDC roles + The list of allowed values for redirect_uri during OIDC logins. items: type: string type: array + x-kubernetes-list-type: set backend: - description: The unique name of the auth backend to configure. - Defaults to jwt. Unique name of the auth backend to configure. + description: |- + The unique name of the auth backend to configure. + Defaults to jwt. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a AuthBackend in jwt to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a AuthBackend in jwt to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object boundAudiences: - description: (For "jwt" roles, at least one of bound_audiences, - bound_subject, bound_claims or token_bound_cidrs is required. - Optional for "oidc" roles.) List of aud claims to match against. - Any match is sufficient. List of aud claims to match against. - Any match is sufficient. + description: |- + List of aud claims to match against. Any match is sufficient. + List of aud claims to match against. Any match is sufficient. items: type: string type: array + x-kubernetes-list-type: set boundClaims: additionalProperties: type: string - description: If set, a map of claims to values to match against. - A claim's value must be a string, which may contain one value - or multiple comma-separated values, e.g. "red" or "red,green,blue". - Map of claims/values to match against. The expected value may - be a single string or a comma-separated string list. + description: |- + If set, a map of claims to values to match against. + A claim's value must be a string, which may contain one value or multiple + comma-separated values, e.g. "red" or "red,green,blue". + Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. type: object + x-kubernetes-map-type: granular boundClaimsType: - description: 'How to interpret values in the claims/values map - (bound_claims): can be either string (exact match) or glob (wildcard - match). Requires Vault 1.4.0 or above. How to interpret values - in the claims/values map: can be either "string" (exact match) - or "glob" (wildcard match).' + description: |- + How to interpret values in the claims/values + map (bound_claims): can be either string (exact match) or glob (wildcard + match). Requires Vault 1.4.0 or above. + How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). type: string boundSubject: - description: If set, requires that the sub claim matches this - value. If set, requires that the sub claim matches this value. + description: |- + If set, requires that the sub claim matches + this value. + If set, requires that the sub claim matches this value. type: string claimMappings: additionalProperties: type: string - description: If set, a map of claims (keys) to be copied to specified - metadata fields (values). Map of claims (keys) to be copied + description: |- + If set, a map of claims (keys) to be copied to specified metadata fields (values). + Map of claims (keys) to be copied to specified metadata fields (values). type: object + x-kubernetes-map-type: granular clockSkewLeeway: - description: The amount of leeway to add to all claims to account - for clock skew, in seconds. Defaults to 60 seconds if set to - 0 and can be disabled if set to -1. Only applicable with "jwt" - roles. The amount of leeway to add to all claims to account - for clock skew, in seconds. Defaults to 60 seconds if set to - 0 and can be disabled if set to -1. Only applicable with 'jwt' - roles. + description: |- + The amount of leeway to add to all claims to account for clock skew, in + seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number disableBoundClaimsParsing: description: Disable bound claim value parsing. Useful when values contain commas. type: boolean expirationLeeway: - description: The amount of leeway to add to expiration (exp) claims - to account for clock skew, in seconds. Defaults to 60 seconds - if set to 0 and can be disabled if set to -1. Only applicable - with "jwt" roles. The amount of leeway to add to expiration - (exp) claims to account for clock skew, in seconds. Defaults - to 60 seconds if set to 0 and can be disabled if set to -1. - Only applicable with 'jwt' roles. + description: |- + The amount of leeway to add to expiration (exp) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number groupsClaim: - description: The claim to use to uniquely identify the set of - groups to which the user belongs; this will be used as the names - for the Identity group aliases created due to a successful login. - The claim value must be a list of strings. The claim to use - to uniquely identify the set of groups to which the user belongs; - this will be used as the names for the Identity group aliases - created due to a successful login. The claim value must be a - list of strings. + description: |- + The claim to use to uniquely identify + the set of groups to which the user belongs; this will be used as the names + for the Identity group aliases created due to a successful login. The claim + value must be a list of strings. + The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. type: string maxAge: - description: Specifies the allowable elapsed time in seconds since - the last time the user was actively authenticated with the OIDC - provider. Specifies the allowable elapsed time in seconds since - the last time the user was actively authenticated. + description: |- + Specifies the allowable elapsed time in seconds since the last time + the user was actively authenticated with the OIDC provider. + Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string notBeforeLeeway: - description: The amount of leeway to add to not before (nbf) claims - to account for clock skew, in seconds. Defaults to 60 seconds - if set to 0 and can be disabled if set to -1. Only applicable - with "jwt" roles. The amount of leeway to add to not before - (nbf) claims to account for clock skew, in seconds. Defaults - to 150 seconds if set to 0 and can be disabled if set to -1. - Only applicable with 'jwt' roles. + description: |- + The amount of leeway to add to not before (nbf) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number oidcScopes: - description: If set, a list of OIDC scopes to be used with an - OIDC role. The standard scope "openid" is automatically included - and need not be specified. List of OIDC scopes to be used with - an OIDC role. The standard scope "openid" is automatically included - and need not be specified. + description: |- + If set, a list of OIDC scopes to be used with an OIDC role. + The standard scope "openid" is automatically included and need not be specified. + List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. items: type: string type: array + x-kubernetes-list-type: set roleName: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string roleType: - description: Type of role, either "oidc" (default) or "jwt". Type - of role, either "oidc" (default) or "jwt" + description: |- + Type of role, either "oidc" (default) or "jwt". + Type of role, either "oidc" (default) or "jwt" type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string userClaim: - description: The claim to use to uniquely identify the user; this - will be used as the name for the Identity entity alias created - due to a successful login. The claim to use to uniquely identify - the user; this will be used as the name for the Identity entity - alias created due to a successful login. + description: |- + The claim to use to uniquely identify + the user; this will be used as the name for the Identity entity alias created + due to a successful login. + The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. type: string userClaimJsonPointer: - description: Specifies if the user_claim value uses JSON pointer - syntax for referencing claims. By default, the user_claim value - will not use JSON pointer. Requires Vault 1.11+. Specifies if - the user_claim value uses JSON pointer syntax for referencing - claims. By default, the user_claim value will not use JSON pointer. + description: |- + Specifies if the user_claim value uses + JSON pointer + syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + Requires Vault 1.11+. + Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. type: boolean verboseOidcLogging: - description: Log received OIDC tokens and claims when debug-level - logging is active. Not recommended in production since sensitive - information may be present in OIDC responses. Log received OIDC - tokens and claims when debug-level logging is active. Not recommended - in production since sensitive information may be present in - OIDC responses. + description: |- + Log received OIDC tokens and claims when debug-level + logging is active. Not recommended in production since sensitive information may be present + in OIDC responses. + Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. type: boolean type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowedRedirectUris: - description: The list of allowed values for redirect_uri during - OIDC logins. Required for OIDC roles The list of allowed values - for redirect_uri during OIDC logins. + description: |- + The list of allowed values for redirect_uri during OIDC logins. + Required for OIDC roles + The list of allowed values for redirect_uri during OIDC logins. items: type: string type: array + x-kubernetes-list-type: set backend: - description: The unique name of the auth backend to configure. - Defaults to jwt. Unique name of the auth backend to configure. + description: |- + The unique name of the auth backend to configure. + Defaults to jwt. + Unique name of the auth backend to configure. type: string + backendRef: + description: Reference to a AuthBackend in jwt to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a AuthBackend in jwt to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object boundAudiences: - description: (For "jwt" roles, at least one of bound_audiences, - bound_subject, bound_claims or token_bound_cidrs is required. - Optional for "oidc" roles.) List of aud claims to match against. - Any match is sufficient. List of aud claims to match against. - Any match is sufficient. + description: |- + List of aud claims to match against. Any match is sufficient. + List of aud claims to match against. Any match is sufficient. items: type: string type: array + x-kubernetes-list-type: set boundClaims: additionalProperties: type: string - description: If set, a map of claims to values to match against. - A claim's value must be a string, which may contain one value - or multiple comma-separated values, e.g. "red" or "red,green,blue". - Map of claims/values to match against. The expected value may - be a single string or a comma-separated string list. + description: |- + If set, a map of claims to values to match against. + A claim's value must be a string, which may contain one value or multiple + comma-separated values, e.g. "red" or "red,green,blue". + Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. type: object + x-kubernetes-map-type: granular boundClaimsType: - description: 'How to interpret values in the claims/values map - (bound_claims): can be either string (exact match) or glob (wildcard - match). Requires Vault 1.4.0 or above. How to interpret values - in the claims/values map: can be either "string" (exact match) - or "glob" (wildcard match).' + description: |- + How to interpret values in the claims/values + map (bound_claims): can be either string (exact match) or glob (wildcard + match). Requires Vault 1.4.0 or above. + How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). type: string boundSubject: - description: If set, requires that the sub claim matches this - value. If set, requires that the sub claim matches this value. + description: |- + If set, requires that the sub claim matches + this value. + If set, requires that the sub claim matches this value. type: string claimMappings: additionalProperties: type: string - description: If set, a map of claims (keys) to be copied to specified - metadata fields (values). Map of claims (keys) to be copied + description: |- + If set, a map of claims (keys) to be copied to specified metadata fields (values). + Map of claims (keys) to be copied to specified metadata fields (values). type: object + x-kubernetes-map-type: granular clockSkewLeeway: - description: The amount of leeway to add to all claims to account - for clock skew, in seconds. Defaults to 60 seconds if set to - 0 and can be disabled if set to -1. Only applicable with "jwt" - roles. The amount of leeway to add to all claims to account - for clock skew, in seconds. Defaults to 60 seconds if set to - 0 and can be disabled if set to -1. Only applicable with 'jwt' - roles. + description: |- + The amount of leeway to add to all claims to account for clock skew, in + seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number disableBoundClaimsParsing: description: Disable bound claim value parsing. Useful when values contain commas. type: boolean expirationLeeway: - description: The amount of leeway to add to expiration (exp) claims - to account for clock skew, in seconds. Defaults to 60 seconds - if set to 0 and can be disabled if set to -1. Only applicable - with "jwt" roles. The amount of leeway to add to expiration - (exp) claims to account for clock skew, in seconds. Defaults - to 60 seconds if set to 0 and can be disabled if set to -1. - Only applicable with 'jwt' roles. + description: |- + The amount of leeway to add to expiration (exp) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number groupsClaim: - description: The claim to use to uniquely identify the set of - groups to which the user belongs; this will be used as the names - for the Identity group aliases created due to a successful login. - The claim value must be a list of strings. The claim to use - to uniquely identify the set of groups to which the user belongs; - this will be used as the names for the Identity group aliases - created due to a successful login. The claim value must be a - list of strings. + description: |- + The claim to use to uniquely identify + the set of groups to which the user belongs; this will be used as the names + for the Identity group aliases created due to a successful login. The claim + value must be a list of strings. + The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. type: string maxAge: - description: Specifies the allowable elapsed time in seconds since - the last time the user was actively authenticated with the OIDC - provider. Specifies the allowable elapsed time in seconds since - the last time the user was actively authenticated. + description: |- + Specifies the allowable elapsed time in seconds since the last time + the user was actively authenticated with the OIDC provider. + Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string notBeforeLeeway: - description: The amount of leeway to add to not before (nbf) claims - to account for clock skew, in seconds. Defaults to 60 seconds - if set to 0 and can be disabled if set to -1. Only applicable - with "jwt" roles. The amount of leeway to add to not before - (nbf) claims to account for clock skew, in seconds. Defaults - to 150 seconds if set to 0 and can be disabled if set to -1. - Only applicable with 'jwt' roles. + description: |- + The amount of leeway to add to not before (nbf) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number oidcScopes: - description: If set, a list of OIDC scopes to be used with an - OIDC role. The standard scope "openid" is automatically included - and need not be specified. List of OIDC scopes to be used with - an OIDC role. The standard scope "openid" is automatically included - and need not be specified. + description: |- + If set, a list of OIDC scopes to be used with an OIDC role. + The standard scope "openid" is automatically included and need not be specified. + List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. items: type: string type: array + x-kubernetes-list-type: set roleName: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string roleType: - description: Type of role, either "oidc" (default) or "jwt". Type - of role, either "oidc" (default) or "jwt" + description: |- + Type of role, either "oidc" (default) or "jwt". + Type of role, either "oidc" (default) or "jwt" type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string userClaim: - description: The claim to use to uniquely identify the user; this - will be used as the name for the Identity entity alias created - due to a successful login. The claim to use to uniquely identify - the user; this will be used as the name for the Identity entity - alias created due to a successful login. + description: |- + The claim to use to uniquely identify + the user; this will be used as the name for the Identity entity alias created + due to a successful login. + The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. type: string userClaimJsonPointer: - description: Specifies if the user_claim value uses JSON pointer - syntax for referencing claims. By default, the user_claim value - will not use JSON pointer. Requires Vault 1.11+. Specifies if - the user_claim value uses JSON pointer syntax for referencing - claims. By default, the user_claim value will not use JSON pointer. + description: |- + Specifies if the user_claim value uses + JSON pointer + syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + Requires Vault 1.11+. + Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. type: boolean verboseOidcLogging: - description: Log received OIDC tokens and claims when debug-level - logging is active. Not recommended in production since sensitive - information may be present in OIDC responses. Log received OIDC - tokens and claims when debug-level logging is active. Not recommended - in production since sensitive information may be present in - OIDC responses. + description: |- + Log received OIDC tokens and claims when debug-level + logging is active. Not recommended in production since sensitive information may be present + in OIDC responses. + Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. type: boolean type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -505,45 +688,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -553,21 +701,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -577,17 +725,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -597,21 +747,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -626,21 +776,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -651,14 +802,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -674,217 +826,231 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: roleName is a required parameter + - message: spec.forProvider.roleName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName) - || has(self.initProvider.roleName)' - - message: userClaim is a required parameter + || (has(self.initProvider) && has(self.initProvider.roleName))' + - message: spec.forProvider.userClaim is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.userClaim) - || has(self.initProvider.userClaim)' + || (has(self.initProvider) && has(self.initProvider.userClaim))' status: description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. properties: atProvider: properties: allowedRedirectUris: - description: The list of allowed values for redirect_uri during - OIDC logins. Required for OIDC roles The list of allowed values - for redirect_uri during OIDC logins. + description: |- + The list of allowed values for redirect_uri during OIDC logins. + Required for OIDC roles + The list of allowed values for redirect_uri during OIDC logins. items: type: string type: array + x-kubernetes-list-type: set backend: - description: The unique name of the auth backend to configure. - Defaults to jwt. Unique name of the auth backend to configure. + description: |- + The unique name of the auth backend to configure. + Defaults to jwt. + Unique name of the auth backend to configure. type: string boundAudiences: - description: (For "jwt" roles, at least one of bound_audiences, - bound_subject, bound_claims or token_bound_cidrs is required. - Optional for "oidc" roles.) List of aud claims to match against. - Any match is sufficient. List of aud claims to match against. - Any match is sufficient. + description: |- + List of aud claims to match against. Any match is sufficient. + List of aud claims to match against. Any match is sufficient. items: type: string type: array + x-kubernetes-list-type: set boundClaims: additionalProperties: type: string - description: If set, a map of claims to values to match against. - A claim's value must be a string, which may contain one value - or multiple comma-separated values, e.g. "red" or "red,green,blue". - Map of claims/values to match against. The expected value may - be a single string or a comma-separated string list. + description: |- + If set, a map of claims to values to match against. + A claim's value must be a string, which may contain one value or multiple + comma-separated values, e.g. "red" or "red,green,blue". + Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. type: object + x-kubernetes-map-type: granular boundClaimsType: - description: 'How to interpret values in the claims/values map - (bound_claims): can be either string (exact match) or glob (wildcard - match). Requires Vault 1.4.0 or above. How to interpret values - in the claims/values map: can be either "string" (exact match) - or "glob" (wildcard match).' + description: |- + How to interpret values in the claims/values + map (bound_claims): can be either string (exact match) or glob (wildcard + match). Requires Vault 1.4.0 or above. + How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). type: string boundSubject: - description: If set, requires that the sub claim matches this - value. If set, requires that the sub claim matches this value. + description: |- + If set, requires that the sub claim matches + this value. + If set, requires that the sub claim matches this value. type: string claimMappings: additionalProperties: type: string - description: If set, a map of claims (keys) to be copied to specified - metadata fields (values). Map of claims (keys) to be copied + description: |- + If set, a map of claims (keys) to be copied to specified metadata fields (values). + Map of claims (keys) to be copied to specified metadata fields (values). type: object + x-kubernetes-map-type: granular clockSkewLeeway: - description: The amount of leeway to add to all claims to account - for clock skew, in seconds. Defaults to 60 seconds if set to - 0 and can be disabled if set to -1. Only applicable with "jwt" - roles. The amount of leeway to add to all claims to account - for clock skew, in seconds. Defaults to 60 seconds if set to - 0 and can be disabled if set to -1. Only applicable with 'jwt' - roles. + description: |- + The amount of leeway to add to all claims to account for clock skew, in + seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number disableBoundClaimsParsing: description: Disable bound claim value parsing. Useful when values contain commas. type: boolean expirationLeeway: - description: The amount of leeway to add to expiration (exp) claims - to account for clock skew, in seconds. Defaults to 60 seconds - if set to 0 and can be disabled if set to -1. Only applicable - with "jwt" roles. The amount of leeway to add to expiration - (exp) claims to account for clock skew, in seconds. Defaults - to 60 seconds if set to 0 and can be disabled if set to -1. - Only applicable with 'jwt' roles. + description: |- + The amount of leeway to add to expiration (exp) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number groupsClaim: - description: The claim to use to uniquely identify the set of - groups to which the user belongs; this will be used as the names - for the Identity group aliases created due to a successful login. - The claim value must be a list of strings. The claim to use - to uniquely identify the set of groups to which the user belongs; - this will be used as the names for the Identity group aliases - created due to a successful login. The claim value must be a - list of strings. + description: |- + The claim to use to uniquely identify + the set of groups to which the user belongs; this will be used as the names + for the Identity group aliases created due to a successful login. The claim + value must be a list of strings. + The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. type: string id: type: string maxAge: - description: Specifies the allowable elapsed time in seconds since - the last time the user was actively authenticated with the OIDC - provider. Specifies the allowable elapsed time in seconds since - the last time the user was actively authenticated. + description: |- + Specifies the allowable elapsed time in seconds since the last time + the user was actively authenticated with the OIDC provider. + Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string notBeforeLeeway: - description: The amount of leeway to add to not before (nbf) claims - to account for clock skew, in seconds. Defaults to 60 seconds - if set to 0 and can be disabled if set to -1. Only applicable - with "jwt" roles. The amount of leeway to add to not before - (nbf) claims to account for clock skew, in seconds. Defaults - to 150 seconds if set to 0 and can be disabled if set to -1. - Only applicable with 'jwt' roles. + description: |- + The amount of leeway to add to not before (nbf) claims to account for + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. + Only applicable with "jwt" roles. + The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number oidcScopes: - description: If set, a list of OIDC scopes to be used with an - OIDC role. The standard scope "openid" is automatically included - and need not be specified. List of OIDC scopes to be used with - an OIDC role. The standard scope "openid" is automatically included - and need not be specified. + description: |- + If set, a list of OIDC scopes to be used with an OIDC role. + The standard scope "openid" is automatically included and need not be specified. + List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. items: type: string type: array + x-kubernetes-list-type: set roleName: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string roleType: - description: Type of role, either "oidc" (default) or "jwt". Type - of role, either "oidc" (default) or "jwt" + description: |- + Type of role, either "oidc" (default) or "jwt". + Type of role, either "oidc" (default) or "jwt" type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string userClaim: - description: The claim to use to uniquely identify the user; this - will be used as the name for the Identity entity alias created - due to a successful login. The claim to use to uniquely identify - the user; this will be used as the name for the Identity entity - alias created due to a successful login. + description: |- + The claim to use to uniquely identify + the user; this will be used as the name for the Identity entity alias created + due to a successful login. + The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. type: string userClaimJsonPointer: - description: Specifies if the user_claim value uses JSON pointer - syntax for referencing claims. By default, the user_claim value - will not use JSON pointer. Requires Vault 1.11+. Specifies if - the user_claim value uses JSON pointer syntax for referencing - claims. By default, the user_claim value will not use JSON pointer. + description: |- + Specifies if the user_claim value uses + JSON pointer + syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + Requires Vault 1.11+. + Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. type: boolean verboseOidcLogging: - description: Log received OIDC tokens and claims when debug-level - logging is active. Not recommended in production since sensitive - information may be present in OIDC responses. Log received OIDC - tokens and claims when debug-level logging is active. Not recommended - in production since sensitive information may be present in - OIDC responses. + description: |- + Log received OIDC tokens and claims when debug-level + logging is active. Not recommended in production since sensitive information may be present + in OIDC responses. + Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. type: boolean type: object conditions: @@ -893,14 +1059,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -910,8 +1085,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -920,6 +1096,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/jwt.vault.upbound.io_authbackends.yaml b/package/crds/jwt.vault.upbound.io_authbackends.yaml index 79e0be53..98f58cc9 100644 --- a/package/crds/jwt.vault.upbound.io_authbackends.yaml +++ b/package/crds/jwt.vault.upbound.io_authbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackends.jwt.vault.upbound.io spec: group: jwt.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: JWT/OIDC auth backends in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,83 +74,77 @@ spec: forProvider: properties: boundIssuer: - description: The value against which to match the iss claim in - a JWT The value against which to match the iss claim in a JWT + description: |- + The value against which to match the iss claim in a JWT + The value against which to match the iss claim in a JWT type: string defaultRole: - description: The default role to use if none is provided during - login The default role to use if none is provided during login + description: |- + The default role to use if none is provided during login + The default role to use if none is provided during login type: string description: - description: The description of the auth backend The description - of the auth backend + description: |- + The description of the auth backend + The description of the auth backend type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean jwksCaPem: - description: The CA certificate or chain of certificates, in PEM - format, to use to validate connections to the JWKS URL. If not - set, system certificates are used. The CA certificate or chain - of certificates, in PEM format, to use to validate connections - to the JWKS URL. If not set, system certificates are used. + description: |- + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. type: string jwksUrl: - description: JWKS URL to use to authenticate signatures. Cannot - be used with "oidc_discovery_url" or "jwt_validation_pubkeys". - JWKS URL to use to authenticate signatures. Cannot be used with - 'oidc_discovery_url' or 'jwt_validation_pubkeys'. + description: |- + JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". + JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'. type: string jwtSupportedAlgs: - description: A list of supported signing algorithms. Vault 1.1.0 - defaults to [RS256] but future or past versions of Vault may - differ A list of supported signing algorithms. Defaults to [RS256] + description: |- + A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ + A list of supported signing algorithms. Defaults to [RS256] items: type: string type: array jwtValidationPubkeys: - description: A list of PEM-encoded public keys to use to authenticate - signatures locally. Cannot be used in combination with oidc_discovery_url - A list of PEM-encoded public keys to use to authenticate signatures - locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. + description: |- + A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url + A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. items: type: string type: array local: - description: Specifies if the auth method is local only. Specifies - if the auth method is local only + description: |- + Specifies if the auth method is local only. + Specifies if the auth method is local only type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string namespaceInState: - description: Pass namespace in the OIDC state parameter instead - of as a separate query parameter. With this setting, the allowed - redirect URL(s) in Vault and on the provider side should not - contain a namespace query parameter. This means only one redirect - URL entry needs to be maintained on the OIDC provider side for - all vault namespaces that will be authenticating against it. - Defaults to true for new configs Pass namespace in the OIDC - state parameter instead of as a separate query parameter. With - this setting, the allowed redirect URL(s) in Vault and on the - provider side should not contain a namespace query parameter. - This means only one redirect URL entry needs to be maintained - on the OIDC provider side for all vault namespaces that will - be authenticating against it. Defaults to true for new configs. + description: |- + Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs + Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. type: boolean oidcClientId: - description: Client ID used for OIDC backends Client ID used for - OIDC + description: |- + Client ID used for OIDC backends + Client ID used for OIDC type: string oidcClientSecretSecretRef: - description: Client Secret used for OIDC backends Client Secret - used for OIDC + description: |- + Client Secret used for OIDC backends + Client Secret used for OIDC properties: key: description: The key to select. @@ -161,308 +161,315 @@ spec: - namespace type: object oidcDiscoveryCaPem: - description: The CA certificate or chain of certificates, in PEM - format, to use to validate connections to the OIDC Discovery - URL. If not set, system certificates are used The CA certificate - or chain of certificates, in PEM format, to use to validate - connections to the OIDC Discovery URL. If not set, system certificates - are used + description: |- + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used type: string oidcDiscoveryUrl: - description: The OIDC Discovery URL, without any .well-known component - (base path). Cannot be used in combination with jwt_validation_pubkeys - The OIDC Discovery URL, without any .well-known component (base - path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. + description: |- + The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys + The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. type: string oidcResponseMode: - description: The response mode to be used in the OAuth2 request. - Allowed values are query and form_post. Defaults to query. If - using Vault namespaces, and oidc_response_mode is form_post, - then namespace_in_state should be set to false. The response - mode to be used in the OAuth2 request. Allowed values are 'query' - and 'form_post'. Defaults to 'query'. If using Vault namespaces, - and oidc_response_mode is 'form_post', then 'namespace_in_state' - should be set to false. + description: |- + The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false. + The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false. type: string oidcResponseTypes: - description: 'List of response types to request. Allowed values - are ''code'' and ''id_token''. Defaults to ["code"]. Note: id_token - may only be used if oidc_response_mode is set to form_post. - The response types to request. Allowed values are ''code'' and - ''id_token''. Defaults to ''code''. Note: ''id_token'' may only - be used if ''oidc_response_mode'' is set to ''form_post''.' + description: |- + List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post. + The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'. items: type: string type: array path: - description: Path to mount the JWT/OIDC auth backend path to mount - the backend + description: |- + Path to mount the JWT/OIDC auth backend + path to mount the backend type: string providerConfig: additionalProperties: type: string - description: Provider specific handling configuration. All values - may be strings, and the provider will convert to the appropriate - type when configuring Vault. Provider specific handling configuration + description: |- + Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. + Provider specific handling configuration type: object + x-kubernetes-map-type: granular tune: items: properties: allowedResponseHeaders: - description: List of headers to whitelist and allowing a - plugin to include them in the response. + description: |- + List of headers to whitelist and allowing + a plugin to include them in the response. items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the request data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the response data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the response data object. items: type: string type: array defaultLeaseTtl: - description: Specifies the default time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the default time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string listingVisibility: - description: Specifies whether to show this mount in the - UI-specific listing endpoint. Valid values are "unauth" - or "hidden". + description: |- + Specifies whether to show this mount in + the UI-specific listing endpoint. Valid values are "unauth" or "hidden". type: string maxLeaseTtl: - description: Specifies the maximum time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the maximum time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string passthroughRequestHeaders: - description: List of headers to whitelist and pass from - the request to the backend. + description: |- + List of headers to whitelist and + pass from the request to the backend. items: type: string type: array tokenType: - description: Specifies the type of tokens that should be - returned by the mount. Valid values are "default-service", - "default-batch", "service", "batch". + description: |- + Specifies the type of tokens that should be returned by + the mount. Valid values are "default-service", "default-batch", "service", "batch". type: string type: object type: array type: - description: Type of auth backend. Should be one of jwt or oidc. - Default - jwt Type of backend. Can be either 'jwt' or 'oidc' + description: |- + Type of auth backend. Should be one of jwt or oidc. Default - jwt + Type of backend. Can be either 'jwt' or 'oidc' type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: boundIssuer: - description: The value against which to match the iss claim in - a JWT The value against which to match the iss claim in a JWT + description: |- + The value against which to match the iss claim in a JWT + The value against which to match the iss claim in a JWT type: string defaultRole: - description: The default role to use if none is provided during - login The default role to use if none is provided during login + description: |- + The default role to use if none is provided during login + The default role to use if none is provided during login type: string description: - description: The description of the auth backend The description - of the auth backend + description: |- + The description of the auth backend + The description of the auth backend type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean jwksCaPem: - description: The CA certificate or chain of certificates, in PEM - format, to use to validate connections to the JWKS URL. If not - set, system certificates are used. The CA certificate or chain - of certificates, in PEM format, to use to validate connections - to the JWKS URL. If not set, system certificates are used. + description: |- + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. type: string jwksUrl: - description: JWKS URL to use to authenticate signatures. Cannot - be used with "oidc_discovery_url" or "jwt_validation_pubkeys". - JWKS URL to use to authenticate signatures. Cannot be used with - 'oidc_discovery_url' or 'jwt_validation_pubkeys'. + description: |- + JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". + JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'. type: string jwtSupportedAlgs: - description: A list of supported signing algorithms. Vault 1.1.0 - defaults to [RS256] but future or past versions of Vault may - differ A list of supported signing algorithms. Defaults to [RS256] + description: |- + A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ + A list of supported signing algorithms. Defaults to [RS256] items: type: string type: array jwtValidationPubkeys: - description: A list of PEM-encoded public keys to use to authenticate - signatures locally. Cannot be used in combination with oidc_discovery_url - A list of PEM-encoded public keys to use to authenticate signatures - locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. + description: |- + A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url + A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. items: type: string type: array local: - description: Specifies if the auth method is local only. Specifies - if the auth method is local only + description: |- + Specifies if the auth method is local only. + Specifies if the auth method is local only type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string namespaceInState: - description: Pass namespace in the OIDC state parameter instead - of as a separate query parameter. With this setting, the allowed - redirect URL(s) in Vault and on the provider side should not - contain a namespace query parameter. This means only one redirect - URL entry needs to be maintained on the OIDC provider side for - all vault namespaces that will be authenticating against it. - Defaults to true for new configs Pass namespace in the OIDC - state parameter instead of as a separate query parameter. With - this setting, the allowed redirect URL(s) in Vault and on the - provider side should not contain a namespace query parameter. - This means only one redirect URL entry needs to be maintained - on the OIDC provider side for all vault namespaces that will - be authenticating against it. Defaults to true for new configs. + description: |- + Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs + Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. type: boolean oidcClientId: - description: Client ID used for OIDC backends Client ID used for - OIDC + description: |- + Client ID used for OIDC backends + Client ID used for OIDC type: string + oidcClientSecretSecretRef: + description: |- + Client Secret used for OIDC backends + Client Secret used for OIDC + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object oidcDiscoveryCaPem: - description: The CA certificate or chain of certificates, in PEM - format, to use to validate connections to the OIDC Discovery - URL. If not set, system certificates are used The CA certificate - or chain of certificates, in PEM format, to use to validate - connections to the OIDC Discovery URL. If not set, system certificates - are used + description: |- + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used type: string oidcDiscoveryUrl: - description: The OIDC Discovery URL, without any .well-known component - (base path). Cannot be used in combination with jwt_validation_pubkeys - The OIDC Discovery URL, without any .well-known component (base - path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. + description: |- + The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys + The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. type: string oidcResponseMode: - description: The response mode to be used in the OAuth2 request. - Allowed values are query and form_post. Defaults to query. If - using Vault namespaces, and oidc_response_mode is form_post, - then namespace_in_state should be set to false. The response - mode to be used in the OAuth2 request. Allowed values are 'query' - and 'form_post'. Defaults to 'query'. If using Vault namespaces, - and oidc_response_mode is 'form_post', then 'namespace_in_state' - should be set to false. + description: |- + The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false. + The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false. type: string oidcResponseTypes: - description: 'List of response types to request. Allowed values - are ''code'' and ''id_token''. Defaults to ["code"]. Note: id_token - may only be used if oidc_response_mode is set to form_post. - The response types to request. Allowed values are ''code'' and - ''id_token''. Defaults to ''code''. Note: ''id_token'' may only - be used if ''oidc_response_mode'' is set to ''form_post''.' + description: |- + List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post. + The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'. items: type: string type: array path: - description: Path to mount the JWT/OIDC auth backend path to mount - the backend + description: |- + Path to mount the JWT/OIDC auth backend + path to mount the backend type: string providerConfig: additionalProperties: type: string - description: Provider specific handling configuration. All values - may be strings, and the provider will convert to the appropriate - type when configuring Vault. Provider specific handling configuration + description: |- + Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. + Provider specific handling configuration type: object + x-kubernetes-map-type: granular tune: items: properties: allowedResponseHeaders: - description: List of headers to whitelist and allowing a - plugin to include them in the response. + description: |- + List of headers to whitelist and allowing + a plugin to include them in the response. items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the request data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the response data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the response data object. items: type: string type: array defaultLeaseTtl: - description: Specifies the default time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the default time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string listingVisibility: - description: Specifies whether to show this mount in the - UI-specific listing endpoint. Valid values are "unauth" - or "hidden". + description: |- + Specifies whether to show this mount in + the UI-specific listing endpoint. Valid values are "unauth" or "hidden". type: string maxLeaseTtl: - description: Specifies the maximum time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the maximum time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string passthroughRequestHeaders: - description: List of headers to whitelist and pass from - the request to the backend. + description: |- + List of headers to whitelist and + pass from the request to the backend. items: type: string type: array tokenType: - description: Specifies the type of tokens that should be - returned by the mount. Valid values are "default-service", - "default-batch", "service", "batch". + description: |- + Specifies the type of tokens that should be returned by + the mount. Valid values are "default-service", "default-batch", "service", "batch". type: string type: object type: array type: - description: Type of auth backend. Should be one of jwt or oidc. - Default - jwt Type of backend. Can be either 'jwt' or 'oidc' + description: |- + Type of auth backend. Should be one of jwt or oidc. Default - jwt + Type of backend. Can be either 'jwt' or 'oidc' type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -475,45 +482,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -523,21 +495,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -547,17 +519,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -567,21 +541,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -596,21 +570,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -621,14 +596,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -649,183 +625,174 @@ spec: atProvider: properties: accessor: - description: The accessor for this auth method The accessor of - the JWT auth backend + description: |- + The accessor for this auth method + The accessor of the JWT auth backend type: string boundIssuer: - description: The value against which to match the iss claim in - a JWT The value against which to match the iss claim in a JWT + description: |- + The value against which to match the iss claim in a JWT + The value against which to match the iss claim in a JWT type: string defaultRole: - description: The default role to use if none is provided during - login The default role to use if none is provided during login + description: |- + The default role to use if none is provided during login + The default role to use if none is provided during login type: string description: - description: The description of the auth backend The description - of the auth backend + description: |- + The description of the auth backend + The description of the auth backend type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean id: type: string jwksCaPem: - description: The CA certificate or chain of certificates, in PEM - format, to use to validate connections to the JWKS URL. If not - set, system certificates are used. The CA certificate or chain - of certificates, in PEM format, to use to validate connections - to the JWKS URL. If not set, system certificates are used. + description: |- + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. type: string jwksUrl: - description: JWKS URL to use to authenticate signatures. Cannot - be used with "oidc_discovery_url" or "jwt_validation_pubkeys". - JWKS URL to use to authenticate signatures. Cannot be used with - 'oidc_discovery_url' or 'jwt_validation_pubkeys'. + description: |- + JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". + JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'. type: string jwtSupportedAlgs: - description: A list of supported signing algorithms. Vault 1.1.0 - defaults to [RS256] but future or past versions of Vault may - differ A list of supported signing algorithms. Defaults to [RS256] + description: |- + A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ + A list of supported signing algorithms. Defaults to [RS256] items: type: string type: array jwtValidationPubkeys: - description: A list of PEM-encoded public keys to use to authenticate - signatures locally. Cannot be used in combination with oidc_discovery_url - A list of PEM-encoded public keys to use to authenticate signatures - locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. + description: |- + A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url + A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. items: type: string type: array local: - description: Specifies if the auth method is local only. Specifies - if the auth method is local only + description: |- + Specifies if the auth method is local only. + Specifies if the auth method is local only type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string namespaceInState: - description: Pass namespace in the OIDC state parameter instead - of as a separate query parameter. With this setting, the allowed - redirect URL(s) in Vault and on the provider side should not - contain a namespace query parameter. This means only one redirect - URL entry needs to be maintained on the OIDC provider side for - all vault namespaces that will be authenticating against it. - Defaults to true for new configs Pass namespace in the OIDC - state parameter instead of as a separate query parameter. With - this setting, the allowed redirect URL(s) in Vault and on the - provider side should not contain a namespace query parameter. - This means only one redirect URL entry needs to be maintained - on the OIDC provider side for all vault namespaces that will - be authenticating against it. Defaults to true for new configs. + description: |- + Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs + Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. type: boolean oidcClientId: - description: Client ID used for OIDC backends Client ID used for - OIDC + description: |- + Client ID used for OIDC backends + Client ID used for OIDC type: string oidcDiscoveryCaPem: - description: The CA certificate or chain of certificates, in PEM - format, to use to validate connections to the OIDC Discovery - URL. If not set, system certificates are used The CA certificate - or chain of certificates, in PEM format, to use to validate - connections to the OIDC Discovery URL. If not set, system certificates - are used + description: |- + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used type: string oidcDiscoveryUrl: - description: The OIDC Discovery URL, without any .well-known component - (base path). Cannot be used in combination with jwt_validation_pubkeys - The OIDC Discovery URL, without any .well-known component (base - path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. + description: |- + The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys + The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. type: string oidcResponseMode: - description: The response mode to be used in the OAuth2 request. - Allowed values are query and form_post. Defaults to query. If - using Vault namespaces, and oidc_response_mode is form_post, - then namespace_in_state should be set to false. The response - mode to be used in the OAuth2 request. Allowed values are 'query' - and 'form_post'. Defaults to 'query'. If using Vault namespaces, - and oidc_response_mode is 'form_post', then 'namespace_in_state' - should be set to false. + description: |- + The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false. + The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false. type: string oidcResponseTypes: - description: 'List of response types to request. Allowed values - are ''code'' and ''id_token''. Defaults to ["code"]. Note: id_token - may only be used if oidc_response_mode is set to form_post. - The response types to request. Allowed values are ''code'' and - ''id_token''. Defaults to ''code''. Note: ''id_token'' may only - be used if ''oidc_response_mode'' is set to ''form_post''.' + description: |- + List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post. + The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'. items: type: string type: array path: - description: Path to mount the JWT/OIDC auth backend path to mount - the backend + description: |- + Path to mount the JWT/OIDC auth backend + path to mount the backend type: string providerConfig: additionalProperties: type: string - description: Provider specific handling configuration. All values - may be strings, and the provider will convert to the appropriate - type when configuring Vault. Provider specific handling configuration + description: |- + Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. + Provider specific handling configuration type: object + x-kubernetes-map-type: granular tune: items: properties: allowedResponseHeaders: - description: List of headers to whitelist and allowing a - plugin to include them in the response. + description: |- + List of headers to whitelist and allowing + a plugin to include them in the response. items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the request data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be - HMAC'd by audit devices in the response data object. + description: |- + Specifies the list of keys that will + not be HMAC'd by audit devices in the response data object. items: type: string type: array defaultLeaseTtl: - description: Specifies the default time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the default time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string listingVisibility: - description: Specifies whether to show this mount in the - UI-specific listing endpoint. Valid values are "unauth" - or "hidden". + description: |- + Specifies whether to show this mount in + the UI-specific listing endpoint. Valid values are "unauth" or "hidden". type: string maxLeaseTtl: - description: Specifies the maximum time-to-live. If set, - this overrides the global default. Must be a valid duration - string + description: |- + Specifies the maximum time-to-live. + If set, this overrides the global default. + Must be a valid duration string type: string passthroughRequestHeaders: - description: List of headers to whitelist and pass from - the request to the backend. + description: |- + List of headers to whitelist and + pass from the request to the backend. items: type: string type: array tokenType: - description: Specifies the type of tokens that should be - returned by the mount. Valid values are "default-service", - "default-batch", "service", "batch". + description: |- + Specifies the type of tokens that should be returned by + the mount. Valid values are "default-service", "default-batch", "service", "batch". type: string type: object type: array type: - description: Type of auth backend. Should be one of jwt or oidc. - Default - jwt Type of backend. Can be either 'jwt' or 'oidc' + description: |- + Type of auth backend. Should be one of jwt or oidc. Default - jwt + Type of backend. Can be either 'jwt' or 'oidc' type: string type: object conditions: @@ -834,14 +801,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -851,8 +827,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -861,6 +838,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/kmip.vault.upbound.io_secretbackends.yaml b/package/crds/kmip.vault.upbound.io_secretbackends.yaml index 70019e7b..8d52eab7 100644 --- a/package/crds/kmip.vault.upbound.io_secretbackends.yaml +++ b/package/crds/kmip.vault.upbound.io_secretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackends.kmip.vault.upbound.io spec: group: kmip.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: KMIP Secret backends in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,167 +74,192 @@ spec: forProvider: properties: defaultTlsClientKeyBits: - description: Client certificate key bits, valid values depend - on key type. Client certificate key bits, valid values depend - on key type + description: |- + Client certificate key bits, valid values depend on key type. + Client certificate key bits, valid values depend on key type type: number defaultTlsClientKeyType: - description: Client certificate key type, rsa or ec. Client certificate - key type, rsa or ec + description: |- + Client certificate key type, rsa or ec. + Client certificate key type, rsa or ec type: string defaultTlsClientTtl: description: Client certificate TTL in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean listenAddrs: - description: Addresses the KMIP server should listen on (host:port). + description: |- + Addresses the KMIP server should listen on (host:port). Addresses the KMIP server should listen on (host:port) items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to kmip. Path where - KMIP secret backend will be mounted + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to kmip. + Path where KMIP secret backend will be mounted type: string serverHostnames: - description: Hostnames to include in the server's TLS certificate - as SAN DNS names. The first will be used as the common name - (CN). Hostnames to include in the server's TLS certificate as - SAN DNS names. The first will be used as the common name (CN) + description: |- + Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN). + Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN) items: type: string type: array + x-kubernetes-list-type: set serverIps: - description: IPs to include in the server's TLS certificate as - SAN IP addresses. IPs to include in the server's TLS certificate - as SAN IP addresses + description: |- + IPs to include in the server's TLS certificate as SAN IP addresses. + IPs to include in the server's TLS certificate as SAN IP addresses items: type: string type: array + x-kubernetes-list-type: set tlsCaKeyBits: - description: CA key bits, valid values depend on key type. CA - key bits, valid values depend on key type + description: |- + CA key bits, valid values depend on key type. + CA key bits, valid values depend on key type type: number tlsCaKeyType: - description: CA key type, rsa or ec. CA key type, rsa or ec + description: |- + CA key type, rsa or ec. + CA key type, rsa or ec type: string tlsMinVersion: - description: Minimum TLS version to accept. Minimum TLS version - to accept + description: |- + Minimum TLS version to accept. + Minimum TLS version to accept type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: defaultTlsClientKeyBits: - description: Client certificate key bits, valid values depend - on key type. Client certificate key bits, valid values depend - on key type + description: |- + Client certificate key bits, valid values depend on key type. + Client certificate key bits, valid values depend on key type type: number defaultTlsClientKeyType: - description: Client certificate key type, rsa or ec. Client certificate - key type, rsa or ec + description: |- + Client certificate key type, rsa or ec. + Client certificate key type, rsa or ec type: string defaultTlsClientTtl: description: Client certificate TTL in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean listenAddrs: - description: Addresses the KMIP server should listen on (host:port). + description: |- + Addresses the KMIP server should listen on (host:port). Addresses the KMIP server should listen on (host:port) items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to kmip. Path where - KMIP secret backend will be mounted + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to kmip. + Path where KMIP secret backend will be mounted type: string serverHostnames: - description: Hostnames to include in the server's TLS certificate - as SAN DNS names. The first will be used as the common name - (CN). Hostnames to include in the server's TLS certificate as - SAN DNS names. The first will be used as the common name (CN) + description: |- + Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN). + Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN) items: type: string type: array + x-kubernetes-list-type: set serverIps: - description: IPs to include in the server's TLS certificate as - SAN IP addresses. IPs to include in the server's TLS certificate - as SAN IP addresses + description: |- + IPs to include in the server's TLS certificate as SAN IP addresses. + IPs to include in the server's TLS certificate as SAN IP addresses items: type: string type: array + x-kubernetes-list-type: set tlsCaKeyBits: - description: CA key bits, valid values depend on key type. CA - key bits, valid values depend on key type + description: |- + CA key bits, valid values depend on key type. + CA key bits, valid values depend on key type type: number tlsCaKeyType: - description: CA key type, rsa or ec. CA key type, rsa or ec + description: |- + CA key type, rsa or ec. + CA key type, rsa or ec type: string tlsMinVersion: - description: Minimum TLS version to accept. Minimum TLS version - to accept + description: |- + Minimum TLS version to accept. + Minimum TLS version to accept type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -241,45 +272,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -289,21 +285,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -313,17 +309,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -333,21 +331,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -362,21 +360,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -387,14 +386,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -410,81 +410,93 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: path is a required parameter + - message: spec.forProvider.path is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.path))' status: description: SecretBackendStatus defines the observed state of SecretBackend. properties: atProvider: properties: defaultTlsClientKeyBits: - description: Client certificate key bits, valid values depend - on key type. Client certificate key bits, valid values depend - on key type + description: |- + Client certificate key bits, valid values depend on key type. + Client certificate key bits, valid values depend on key type type: number defaultTlsClientKeyType: - description: Client certificate key type, rsa or ec. Client certificate - key type, rsa or ec + description: |- + Client certificate key type, rsa or ec. + Client certificate key type, rsa or ec type: string defaultTlsClientTtl: description: Client certificate TTL in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean id: type: string listenAddrs: - description: Addresses the KMIP server should listen on (host:port). + description: |- + Addresses the KMIP server should listen on (host:port). Addresses the KMIP server should listen on (host:port) items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to kmip. Path where - KMIP secret backend will be mounted + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to kmip. + Path where KMIP secret backend will be mounted type: string serverHostnames: - description: Hostnames to include in the server's TLS certificate - as SAN DNS names. The first will be used as the common name - (CN). Hostnames to include in the server's TLS certificate as - SAN DNS names. The first will be used as the common name (CN) + description: |- + Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN). + Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN) items: type: string type: array + x-kubernetes-list-type: set serverIps: - description: IPs to include in the server's TLS certificate as - SAN IP addresses. IPs to include in the server's TLS certificate - as SAN IP addresses + description: |- + IPs to include in the server's TLS certificate as SAN IP addresses. + IPs to include in the server's TLS certificate as SAN IP addresses items: type: string type: array + x-kubernetes-list-type: set tlsCaKeyBits: - description: CA key bits, valid values depend on key type. CA - key bits, valid values depend on key type + description: |- + CA key bits, valid values depend on key type. + CA key bits, valid values depend on key type type: number tlsCaKeyType: - description: CA key type, rsa or ec. CA key type, rsa or ec + description: |- + CA key type, rsa or ec. + CA key type, rsa or ec type: string tlsMinVersion: - description: Minimum TLS version to accept. Minimum TLS version - to accept + description: |- + Minimum TLS version to accept. + Minimum TLS version to accept type: string type: object conditions: @@ -493,14 +505,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -510,8 +531,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -520,6 +542,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/kmip.vault.upbound.io_secretroles.yaml b/package/crds/kmip.vault.upbound.io_secretroles.yaml index ac268e96..d18fdac1 100644 --- a/package/crds/kmip.vault.upbound.io_secretroles.yaml +++ b/package/crds/kmip.vault.upbound.io_secretroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretroles.kmip.vault.upbound.io spec: group: kmip.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Secret roles in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,221 +74,552 @@ spec: forProvider: properties: namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string operationActivate: - description: Grant permission to use the KMIP Activate operation. + description: |- + Grant permission to use the KMIP Activate operation. Grant permission to use the KMIP Activate operation type: boolean operationAddAttribute: - description: Grant permission to use the KMIP Add Attribute operation. + description: |- + Grant permission to use the KMIP Add Attribute operation. Grant permission to use the KMIP Add Attribute operation type: boolean operationAll: - description: Grant all permissions to this role. May not be specified - with any other operation_* params. Grant all permissions to - this role. May not be specified with any other operation_* params + description: |- + Grant all permissions to this role. May not be specified with any other operation_* params. + Grant all permissions to this role. May not be specified with any other operation_* params type: boolean operationCreate: - description: Grant permission to use the KMIP Create operation. + description: |- + Grant permission to use the KMIP Create operation. Grant permission to use the KMIP Create operation type: boolean operationDestroy: - description: Grant permission to use the KMIP Destroy operation. + description: |- + Grant permission to use the KMIP Destroy operation. Grant permission to use the KMIP Destroy operation type: boolean operationDiscoverVersions: - description: Grant permission to use the KMIP Discover Version - operation. Grant permission to use the KMIP Discover Version - operation + description: |- + Grant permission to use the KMIP Discover Version operation. + Grant permission to use the KMIP Discover Version operation type: boolean operationGet: - description: Grant permission to use the KMIP Get operation. Grant - permission to use the KMIP Get operation + description: |- + Grant permission to use the KMIP Get operation. + Grant permission to use the KMIP Get operation type: boolean operationGetAttributeList: - description: Grant permission to use the KMIP Get Atrribute List - operation. Grant permission to use the KMIP Get Attribute List - operation + description: |- + Grant permission to use the KMIP Get Atrribute List operation. + Grant permission to use the KMIP Get Attribute List operation type: boolean operationGetAttributes: - description: Grant permission to use the KMIP Get Atrributes operation. + description: |- + Grant permission to use the KMIP Get Atrributes operation. Grant permission to use the KMIP Get Attributes operation type: boolean operationLocate: - description: Grant permission to use the KMIP Get Locate operation. + description: |- + Grant permission to use the KMIP Get Locate operation. Grant permission to use the KMIP Locate operation type: boolean operationNone: - description: Remove all permissions from this role. May not be - specified with any other operation_* params. Remove all permissions - from this role. May not be specified with any other operation_* - params + description: |- + Remove all permissions from this role. May not be specified with any other operation_* params. + Remove all permissions from this role. May not be specified with any other operation_* params type: boolean operationRegister: - description: Grant permission to use the KMIP Register operation. + description: |- + Grant permission to use the KMIP Register operation. Grant permission to use the KMIP Register operation type: boolean operationRekey: - description: Grant permission to use the KMIP Rekey operation. + description: |- + Grant permission to use the KMIP Rekey operation. Grant permission to use the KMIP Rekey operation type: boolean operationRevoke: - description: Grant permission to use the KMIP Revoke operation. + description: |- + Grant permission to use the KMIP Revoke operation. Grant permission to use the KMIP Revoke operation type: boolean path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to kmip. Path where - KMIP backend is mounted + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to kmip. + Path where KMIP backend is mounted type: string + pathRef: + description: Reference to a SecretScope in kmip to populate path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a SecretScope in kmip to populate path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object role: - description: Name of the role. Name of the role + description: |- + Name of the role. + Name of the role type: string scope: - description: Name of the scope. Name of the scope + description: |- + Name of the scope. + Name of the scope type: string + scopeRef: + description: Reference to a SecretScope in kmip to populate scope. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + scopeSelector: + description: Selector for a SecretScope in kmip to populate scope. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object tlsClientKeyBits: - description: Client certificate key bits, valid values depend - on key type. Client certificate key bits, valid values depend - on key type + description: |- + Client certificate key bits, valid values depend on key type. + Client certificate key bits, valid values depend on key type type: number tlsClientKeyType: - description: Client certificate key type, rsa or ec. Client certificate - key type, rsa or ec + description: |- + Client certificate key type, rsa or ec. + Client certificate key type, rsa or ec type: string tlsClientTtl: - description: Client certificate TTL in seconds. Client certificate - TTL in seconds + description: |- + Client certificate TTL in seconds. + Client certificate TTL in seconds type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string operationActivate: - description: Grant permission to use the KMIP Activate operation. + description: |- + Grant permission to use the KMIP Activate operation. Grant permission to use the KMIP Activate operation type: boolean operationAddAttribute: - description: Grant permission to use the KMIP Add Attribute operation. + description: |- + Grant permission to use the KMIP Add Attribute operation. Grant permission to use the KMIP Add Attribute operation type: boolean operationAll: - description: Grant all permissions to this role. May not be specified - with any other operation_* params. Grant all permissions to - this role. May not be specified with any other operation_* params + description: |- + Grant all permissions to this role. May not be specified with any other operation_* params. + Grant all permissions to this role. May not be specified with any other operation_* params type: boolean operationCreate: - description: Grant permission to use the KMIP Create operation. + description: |- + Grant permission to use the KMIP Create operation. Grant permission to use the KMIP Create operation type: boolean operationDestroy: - description: Grant permission to use the KMIP Destroy operation. + description: |- + Grant permission to use the KMIP Destroy operation. Grant permission to use the KMIP Destroy operation type: boolean operationDiscoverVersions: - description: Grant permission to use the KMIP Discover Version - operation. Grant permission to use the KMIP Discover Version - operation + description: |- + Grant permission to use the KMIP Discover Version operation. + Grant permission to use the KMIP Discover Version operation type: boolean operationGet: - description: Grant permission to use the KMIP Get operation. Grant - permission to use the KMIP Get operation + description: |- + Grant permission to use the KMIP Get operation. + Grant permission to use the KMIP Get operation type: boolean operationGetAttributeList: - description: Grant permission to use the KMIP Get Atrribute List - operation. Grant permission to use the KMIP Get Attribute List - operation + description: |- + Grant permission to use the KMIP Get Atrribute List operation. + Grant permission to use the KMIP Get Attribute List operation type: boolean operationGetAttributes: - description: Grant permission to use the KMIP Get Atrributes operation. + description: |- + Grant permission to use the KMIP Get Atrributes operation. Grant permission to use the KMIP Get Attributes operation type: boolean operationLocate: - description: Grant permission to use the KMIP Get Locate operation. + description: |- + Grant permission to use the KMIP Get Locate operation. Grant permission to use the KMIP Locate operation type: boolean operationNone: - description: Remove all permissions from this role. May not be - specified with any other operation_* params. Remove all permissions - from this role. May not be specified with any other operation_* - params + description: |- + Remove all permissions from this role. May not be specified with any other operation_* params. + Remove all permissions from this role. May not be specified with any other operation_* params type: boolean operationRegister: - description: Grant permission to use the KMIP Register operation. + description: |- + Grant permission to use the KMIP Register operation. Grant permission to use the KMIP Register operation type: boolean operationRekey: - description: Grant permission to use the KMIP Rekey operation. + description: |- + Grant permission to use the KMIP Rekey operation. Grant permission to use the KMIP Rekey operation type: boolean operationRevoke: - description: Grant permission to use the KMIP Revoke operation. + description: |- + Grant permission to use the KMIP Revoke operation. Grant permission to use the KMIP Revoke operation type: boolean path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to kmip. Path where - KMIP backend is mounted + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to kmip. + Path where KMIP backend is mounted type: string + pathRef: + description: Reference to a SecretScope in kmip to populate path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a SecretScope in kmip to populate path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object role: - description: Name of the role. Name of the role + description: |- + Name of the role. + Name of the role type: string scope: - description: Name of the scope. Name of the scope + description: |- + Name of the scope. + Name of the scope type: string + scopeRef: + description: Reference to a SecretScope in kmip to populate scope. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + scopeSelector: + description: Selector for a SecretScope in kmip to populate scope. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object tlsClientKeyBits: - description: Client certificate key bits, valid values depend - on key type. Client certificate key bits, valid values depend - on key type + description: |- + Client certificate key bits, valid values depend on key type. + Client certificate key bits, valid values depend on key type type: number tlsClientKeyType: - description: Client certificate key type, rsa or ec. Client certificate - key type, rsa or ec + description: |- + Client certificate key type, rsa or ec. + Client certificate key type, rsa or ec type: string tlsClientTtl: - description: Client certificate TTL in seconds. Client certificate - TTL in seconds + description: |- + Client certificate TTL in seconds. + Client certificate TTL in seconds type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -295,9 +632,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -307,57 +645,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -367,17 +669,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -387,21 +691,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -416,21 +720,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -441,14 +746,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -464,18 +770,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: path is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' - - message: role is a required parameter + - message: spec.forProvider.role is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.role) - || has(self.initProvider.role)' - - message: scope is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.scope) - || has(self.initProvider.scope)' + || (has(self.initProvider) && has(self.initProvider.role))' status: description: SecretRoleStatus defines the observed state of SecretRole. properties: @@ -484,96 +782,113 @@ spec: id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string operationActivate: - description: Grant permission to use the KMIP Activate operation. + description: |- + Grant permission to use the KMIP Activate operation. Grant permission to use the KMIP Activate operation type: boolean operationAddAttribute: - description: Grant permission to use the KMIP Add Attribute operation. + description: |- + Grant permission to use the KMIP Add Attribute operation. Grant permission to use the KMIP Add Attribute operation type: boolean operationAll: - description: Grant all permissions to this role. May not be specified - with any other operation_* params. Grant all permissions to - this role. May not be specified with any other operation_* params + description: |- + Grant all permissions to this role. May not be specified with any other operation_* params. + Grant all permissions to this role. May not be specified with any other operation_* params type: boolean operationCreate: - description: Grant permission to use the KMIP Create operation. + description: |- + Grant permission to use the KMIP Create operation. Grant permission to use the KMIP Create operation type: boolean operationDestroy: - description: Grant permission to use the KMIP Destroy operation. + description: |- + Grant permission to use the KMIP Destroy operation. Grant permission to use the KMIP Destroy operation type: boolean operationDiscoverVersions: - description: Grant permission to use the KMIP Discover Version - operation. Grant permission to use the KMIP Discover Version - operation + description: |- + Grant permission to use the KMIP Discover Version operation. + Grant permission to use the KMIP Discover Version operation type: boolean operationGet: - description: Grant permission to use the KMIP Get operation. Grant - permission to use the KMIP Get operation + description: |- + Grant permission to use the KMIP Get operation. + Grant permission to use the KMIP Get operation type: boolean operationGetAttributeList: - description: Grant permission to use the KMIP Get Atrribute List - operation. Grant permission to use the KMIP Get Attribute List - operation + description: |- + Grant permission to use the KMIP Get Atrribute List operation. + Grant permission to use the KMIP Get Attribute List operation type: boolean operationGetAttributes: - description: Grant permission to use the KMIP Get Atrributes operation. + description: |- + Grant permission to use the KMIP Get Atrributes operation. Grant permission to use the KMIP Get Attributes operation type: boolean operationLocate: - description: Grant permission to use the KMIP Get Locate operation. + description: |- + Grant permission to use the KMIP Get Locate operation. Grant permission to use the KMIP Locate operation type: boolean operationNone: - description: Remove all permissions from this role. May not be - specified with any other operation_* params. Remove all permissions - from this role. May not be specified with any other operation_* - params + description: |- + Remove all permissions from this role. May not be specified with any other operation_* params. + Remove all permissions from this role. May not be specified with any other operation_* params type: boolean operationRegister: - description: Grant permission to use the KMIP Register operation. + description: |- + Grant permission to use the KMIP Register operation. Grant permission to use the KMIP Register operation type: boolean operationRekey: - description: Grant permission to use the KMIP Rekey operation. + description: |- + Grant permission to use the KMIP Rekey operation. Grant permission to use the KMIP Rekey operation type: boolean operationRevoke: - description: Grant permission to use the KMIP Revoke operation. + description: |- + Grant permission to use the KMIP Revoke operation. Grant permission to use the KMIP Revoke operation type: boolean path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to kmip. Path where - KMIP backend is mounted + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to kmip. + Path where KMIP backend is mounted type: string role: - description: Name of the role. Name of the role + description: |- + Name of the role. + Name of the role type: string scope: - description: Name of the scope. Name of the scope + description: |- + Name of the scope. + Name of the scope type: string tlsClientKeyBits: - description: Client certificate key bits, valid values depend - on key type. Client certificate key bits, valid values depend - on key type + description: |- + Client certificate key bits, valid values depend on key type. + Client certificate key bits, valid values depend on key type type: number tlsClientKeyType: - description: Client certificate key type, rsa or ec. Client certificate - key type, rsa or ec + description: |- + Client certificate key type, rsa or ec. + Client certificate key type, rsa or ec type: string tlsClientTtl: - description: Client certificate TTL in seconds. Client certificate - TTL in seconds + description: |- + Client certificate TTL in seconds. + Client certificate TTL in seconds type: number type: object conditions: @@ -582,14 +897,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -599,8 +923,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -609,6 +934,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/kmip.vault.upbound.io_secretscopes.yaml b/package/crds/kmip.vault.upbound.io_secretscopes.yaml index b991161c..8dba7fb3 100644 --- a/package/crds/kmip.vault.upbound.io_secretscopes.yaml +++ b/package/crds/kmip.vault.upbound.io_secretscopes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretscopes.kmip.vault.upbound.io spec: group: kmip.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: KMIP Secret scopes in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,77 +74,238 @@ spec: forProvider: properties: force: - description: Boolean field to force deletion even if there are - managed objects in the scope. Force deletion even if there are - managed objects in the scope + description: |- + Boolean field to force deletion even if there are managed objects in the scope. + Force deletion even if there are managed objects in the scope type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to kmip. Path where - KMIP backend is mounted + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to kmip. + Path where KMIP backend is mounted type: string + pathRef: + description: Reference to a SecretBackend in kmip to populate + path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a SecretBackend in kmip to populate + path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object scope: - description: Name of the scope. Name of the scope + description: |- + Name of the scope. + Name of the scope type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: force: - description: Boolean field to force deletion even if there are - managed objects in the scope. Force deletion even if there are - managed objects in the scope + description: |- + Boolean field to force deletion even if there are managed objects in the scope. + Force deletion even if there are managed objects in the scope type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to kmip. Path where - KMIP backend is mounted + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to kmip. + Path where KMIP backend is mounted type: string + pathRef: + description: Reference to a SecretBackend in kmip to populate + path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a SecretBackend in kmip to populate + path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object scope: - description: Name of the scope. Name of the scope + description: |- + Name of the scope. + Name of the scope type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -151,9 +318,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -163,57 +331,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -223,17 +355,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -243,21 +377,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -272,21 +406,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -297,14 +432,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -320,40 +456,40 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: path is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' - - message: scope is a required parameter + - message: spec.forProvider.scope is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.scope) - || has(self.initProvider.scope)' + || (has(self.initProvider) && has(self.initProvider.scope))' status: description: SecretScopeStatus defines the observed state of SecretScope. properties: atProvider: properties: force: - description: Boolean field to force deletion even if there are - managed objects in the scope. Force deletion even if there are - managed objects in the scope + description: |- + Boolean field to force deletion even if there are managed objects in the scope. + Force deletion even if there are managed objects in the scope type: boolean id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to kmip. Path where - KMIP backend is mounted + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to kmip. + Path where KMIP backend is mounted type: string scope: - description: Name of the scope. Name of the scope + description: |- + Name of the scope. + Name of the scope type: string type: object conditions: @@ -362,14 +498,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -379,8 +524,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -389,6 +535,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml b/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml index 95d0f4a1..596c5a04 100644 --- a/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml +++ b/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendconfigs.kubernetes.vault.upbound.io spec: group: kubernetes.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Manages Kubernetes auth backend configs in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -70,63 +76,124 @@ spec: backend: description: Unique name of the kubernetes backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object disableIssValidation: - description: Disable JWT issuer validation. Allows to skip ISS - validation. Requires Vault v1.5.4+ or Vault auth kubernetes - plugin v0.7.1+ Optional disable JWT issuer validation. Allows - to skip ISS validation. + description: |- + Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ + Optional disable JWT issuer validation. Allows to skip ISS validation. type: boolean disableLocalCaJwt: - description: Disable defaulting to the local CA cert and service - account JWT when running in a Kubernetes pod. Requires Vault - v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable - defaulting to the local CA cert and service account JWT when - running in a Kubernetes pod. + description: |- + Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ + Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. type: boolean issuer: - description: JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount - will be used as the default issuer. Optional JWT issuer. If - no issuer is specified, kubernetes.io/serviceaccount will be - used as the default issuer. + description: |- + JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. + Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. type: string kubernetesCaCert: - description: PEM encoded CA cert for use by the TLS client used - to talk with the Kubernetes API. PEM encoded CA cert for use - by the TLS client used to talk with the Kubernetes API. + description: |- + PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. + PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. type: string kubernetesHost: - description: Host must be a host string, a host:port pair, or - a URL to the base of the Kubernetes API server. Host must be - a host string, a host:port pair, or a URL to the base of the - Kubernetes API server. + description: |- + Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. + Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pemKeys: - description: List of PEM-formatted public keys or certificates - used to verify the signatures of Kubernetes service account - JWTs. If a certificate is given, its public key will be extracted. - Not every installation of Kubernetes exposes these keys. Optional - list of PEM-formatted public keys or certificates used to verify - the signatures of Kubernetes service account JWTs. If a certificate - is given, its public key will be extracted. Not every installation - of Kubernetes exposes these keys. + description: |- + List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. + Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. items: type: string type: array tokenReviewerJwtSecretRef: - description: A service account JWT (or other token) used as a - bearer token to access the TokenReview API to validate other - JWTs during login. If not set the JWT used for login will be - used to access the API. A service account JWT (or other token) - used as a bearer token to access the TokenReview API to validate - other JWTs during login. If not set the JWT used for login will - be used to access the API. + description: |- + A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. properties: key: description: The key to select. @@ -144,88 +211,173 @@ spec: type: object type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: description: Unique name of the kubernetes backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object disableIssValidation: - description: Disable JWT issuer validation. Allows to skip ISS - validation. Requires Vault v1.5.4+ or Vault auth kubernetes - plugin v0.7.1+ Optional disable JWT issuer validation. Allows - to skip ISS validation. + description: |- + Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ + Optional disable JWT issuer validation. Allows to skip ISS validation. type: boolean disableLocalCaJwt: - description: Disable defaulting to the local CA cert and service - account JWT when running in a Kubernetes pod. Requires Vault - v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable - defaulting to the local CA cert and service account JWT when - running in a Kubernetes pod. + description: |- + Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ + Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. type: boolean issuer: - description: JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount - will be used as the default issuer. Optional JWT issuer. If - no issuer is specified, kubernetes.io/serviceaccount will be - used as the default issuer. + description: |- + JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. + Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. type: string kubernetesCaCert: - description: PEM encoded CA cert for use by the TLS client used - to talk with the Kubernetes API. PEM encoded CA cert for use - by the TLS client used to talk with the Kubernetes API. + description: |- + PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. + PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. type: string kubernetesHost: - description: Host must be a host string, a host:port pair, or - a URL to the base of the Kubernetes API server. Host must be - a host string, a host:port pair, or a URL to the base of the - Kubernetes API server. + description: |- + Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. + Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pemKeys: - description: List of PEM-formatted public keys or certificates - used to verify the signatures of Kubernetes service account - JWTs. If a certificate is given, its public key will be extracted. - Not every installation of Kubernetes exposes these keys. Optional - list of PEM-formatted public keys or certificates used to verify - the signatures of Kubernetes service account JWTs. If a certificate - is given, its public key will be extracted. Not every installation - of Kubernetes exposes these keys. + description: |- + List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. + Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. items: type: string type: array + tokenReviewerJwtSecretRef: + description: |- + A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -238,45 +390,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -286,21 +403,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -310,17 +427,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -330,21 +449,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -359,21 +478,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -384,14 +504,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -407,10 +528,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: kubernetesHost is a required parameter + - message: spec.forProvider.kubernetesHost is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.kubernetesHost) - || has(self.initProvider.kubernetesHost)' + || (has(self.initProvider) && has(self.initProvider.kubernetesHost))' status: description: AuthBackendConfigStatus defines the observed state of AuthBackendConfig. properties: @@ -420,53 +541,44 @@ spec: description: Unique name of the kubernetes backend to configure. type: string disableIssValidation: - description: Disable JWT issuer validation. Allows to skip ISS - validation. Requires Vault v1.5.4+ or Vault auth kubernetes - plugin v0.7.1+ Optional disable JWT issuer validation. Allows - to skip ISS validation. + description: |- + Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ + Optional disable JWT issuer validation. Allows to skip ISS validation. type: boolean disableLocalCaJwt: - description: Disable defaulting to the local CA cert and service - account JWT when running in a Kubernetes pod. Requires Vault - v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable - defaulting to the local CA cert and service account JWT when - running in a Kubernetes pod. + description: |- + Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ + Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. type: boolean id: type: string issuer: - description: JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount - will be used as the default issuer. Optional JWT issuer. If - no issuer is specified, kubernetes.io/serviceaccount will be - used as the default issuer. + description: |- + JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. + Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. type: string kubernetesCaCert: - description: PEM encoded CA cert for use by the TLS client used - to talk with the Kubernetes API. PEM encoded CA cert for use - by the TLS client used to talk with the Kubernetes API. + description: |- + PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. + PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. type: string kubernetesHost: - description: Host must be a host string, a host:port pair, or - a URL to the base of the Kubernetes API server. Host must be - a host string, a host:port pair, or a URL to the base of the - Kubernetes API server. + description: |- + Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. + Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pemKeys: - description: List of PEM-formatted public keys or certificates - used to verify the signatures of Kubernetes service account - JWTs. If a certificate is given, its public key will be extracted. - Not every installation of Kubernetes exposes these keys. Optional - list of PEM-formatted public keys or certificates used to verify - the signatures of Kubernetes service account JWTs. If a certificate - is given, its public key will be extracted. Not every installation - of Kubernetes exposes these keys. + description: |- + List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. + Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. items: type: string type: array @@ -477,14 +589,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -494,8 +615,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -504,6 +626,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/kubernetes.vault.upbound.io_authbackendroles.yaml b/package/crds/kubernetes.vault.upbound.io_authbackendroles.yaml index 10ef7f29..a60d119a 100644 --- a/package/crds/kubernetes.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/kubernetes.vault.upbound.io_authbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroles.kubernetes.vault.upbound.io spec: group: kubernetes.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Kubernetes auth backend roles in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,233 +74,406 @@ spec: forProvider: properties: aliasNameSource: - description: 'Configures how identity aliases are generated. Valid - choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+) - Configures how identity aliases are generated. Valid choices - are: serviceaccount_uid, serviceaccount_name' + description: |- + Configures how identity aliases are generated. + Valid choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+) + Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name type: string audience: - description: Audience claim to verify in the JWT. Optional Audience - claim to verify in the JWT. + description: |- + Audience claim to verify in the JWT. + Optional Audience claim to verify in the JWT. type: string backend: - description: Unique name of the kubernetes backend to configure. + description: |- + Unique name of the kubernetes backend to configure. Unique name of the kubernetes backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object boundServiceAccountNames: - description: List of service account names able to access this - role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces - can not be "*". List of service account names able to access - this role. If set to `["*"]` all names are allowed, both this - and bound_service_account_namespaces can not be "*". + description: |- + List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*". + List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*". items: type: string type: array + x-kubernetes-list-type: set boundServiceAccountNamespaces: - description: List of namespaces allowed to access this role. If - set to ["*"] all namespaces are allowed, both this and bound_service_account_names - can not be set to "*". List of namespaces allowed to access - this role. If set to `["*"]` all namespaces are allowed, both - this and bound_service_account_names can not be set to "*". + description: |- + List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*". + List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*". items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleName: - description: Name of the role. Name of the role. + description: |- + Name of the role. + Name of the role. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: description: The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: aliasNameSource: - description: 'Configures how identity aliases are generated. Valid - choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+) - Configures how identity aliases are generated. Valid choices - are: serviceaccount_uid, serviceaccount_name' + description: |- + Configures how identity aliases are generated. + Valid choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+) + Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name type: string audience: - description: Audience claim to verify in the JWT. Optional Audience - claim to verify in the JWT. + description: |- + Audience claim to verify in the JWT. + Optional Audience claim to verify in the JWT. type: string backend: - description: Unique name of the kubernetes backend to configure. + description: |- + Unique name of the kubernetes backend to configure. Unique name of the kubernetes backend to configure. type: string + backendRef: + description: Reference to a Backend in auth to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Backend in auth to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object boundServiceAccountNames: - description: List of service account names able to access this - role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces - can not be "*". List of service account names able to access - this role. If set to `["*"]` all names are allowed, both this - and bound_service_account_namespaces can not be "*". + description: |- + List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*". + List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*". items: type: string type: array + x-kubernetes-list-type: set boundServiceAccountNamespaces: - description: List of namespaces allowed to access this role. If - set to ["*"] all namespaces are allowed, both this and bound_service_account_names - can not be set to "*". List of namespaces allowed to access - this role. If set to `["*"]` all namespaces are allowed, both - this and bound_service_account_names can not be set to "*". + description: |- + List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*". + List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*". items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleName: - description: Name of the role. Name of the role. + description: |- + Name of the role. + Name of the role. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: description: The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -307,45 +486,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -355,21 +499,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -379,17 +523,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -399,21 +545,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -428,21 +574,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -453,14 +600,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -476,122 +624,135 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: boundServiceAccountNames is a required parameter + - message: spec.forProvider.boundServiceAccountNames is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.boundServiceAccountNames) - || has(self.initProvider.boundServiceAccountNames)' - - message: boundServiceAccountNamespaces is a required parameter + || (has(self.initProvider) && has(self.initProvider.boundServiceAccountNames))' + - message: spec.forProvider.boundServiceAccountNamespaces is a required + parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.boundServiceAccountNamespaces) - || has(self.initProvider.boundServiceAccountNamespaces)' - - message: roleName is a required parameter + || (has(self.initProvider) && has(self.initProvider.boundServiceAccountNamespaces))' + - message: spec.forProvider.roleName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName) - || has(self.initProvider.roleName)' + || (has(self.initProvider) && has(self.initProvider.roleName))' status: description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. properties: atProvider: properties: aliasNameSource: - description: 'Configures how identity aliases are generated. Valid - choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+) - Configures how identity aliases are generated. Valid choices - are: serviceaccount_uid, serviceaccount_name' + description: |- + Configures how identity aliases are generated. + Valid choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+) + Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name type: string audience: - description: Audience claim to verify in the JWT. Optional Audience - claim to verify in the JWT. + description: |- + Audience claim to verify in the JWT. + Optional Audience claim to verify in the JWT. type: string backend: - description: Unique name of the kubernetes backend to configure. + description: |- + Unique name of the kubernetes backend to configure. Unique name of the kubernetes backend to configure. type: string boundServiceAccountNames: - description: List of service account names able to access this - role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces - can not be "*". List of service account names able to access - this role. If set to `["*"]` all names are allowed, both this - and bound_service_account_namespaces can not be "*". + description: |- + List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*". + List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*". items: type: string type: array + x-kubernetes-list-type: set boundServiceAccountNamespaces: - description: List of namespaces allowed to access this role. If - set to ["*"] all namespaces are allowed, both this and bound_service_account_names - can not be set to "*". List of namespaces allowed to access - this role. If set to `["*"]` all namespaces are allowed, both - this and bound_service_account_names can not be set to "*". + description: |- + List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*". + List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*". items: type: string type: array + x-kubernetes-list-type: set id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string roleName: - description: Name of the role. Name of the role. + description: |- + Name of the role. + Name of the role. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: - description: List of policies to encode onto generated tokens. - Depending on the auth method, this list may be supplemented - by user/group/other values. Generated Token's Policies + description: |- + List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + Generated Token's Policies items: type: string type: array + x-kubernetes-list-type: set tokenTtl: description: The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object conditions: @@ -600,14 +761,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -617,8 +787,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -627,6 +798,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml b/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml index 51e1605a..066e9a5c 100644 --- a/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendroles.kubernetes.vault.upbound.io spec: group: kubernetes.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Creates a role for the Kubernetes Secrets Engine in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,229 +59,403 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete type: string forProvider: properties: + allowedKubernetesNamespaceSelector: + description: |- + A label selector for Kubernetes namespaces + in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + of type LabelSelector. + If set with allowed_kubernetes_namespace, the conditions are ORed. + A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed. + type: string allowedKubernetesNamespaces: - description: The list of Kubernetes namespaces this role can generate - credentials for. If set to * all namespaces are allowed. The - list of Kubernetes namespaces this role can generate credentials - for. If set to '*' all namespaces are allowed. + description: |- + The list of Kubernetes namespaces this role + can generate credentials for. If set to * all namespaces are allowed. If set with + allowed_kubernetes_namespace_selector, the conditions are ORed. + The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed. items: type: string type: array backend: - description: The path of the Kubernetes Secrets Engine backend - mount to create the role in. The mount path for the Kubernetes - secrets engine. + description: |- + The path of the Kubernetes Secrets Engine backend mount to create + the role in. + The mount path for the Kubernetes secrets engine. type: string + backendRef: + description: Reference to a SecretBackend in kubernetes to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in kubernetes to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object extraAnnotations: additionalProperties: type: string - description: Additional annotations to apply to all generated - Kubernetes objects. Additional annotations to apply to all generated + description: |- + Additional annotations to apply to all generated Kubernetes objects. + Additional annotations to apply to all generated Kubernetes objects. type: object + x-kubernetes-map-type: granular extraLabels: additionalProperties: type: string - description: Additional labels to apply to all generated Kubernetes - objects. Additional labels to apply to all generated Kubernetes + description: |- + Additional labels to apply to all generated Kubernetes objects. + Additional labels to apply to all generated Kubernetes objects. type: object + x-kubernetes-map-type: granular generatedRoleRules: - description: The Role or ClusterRole rules to use when generating - a role. Accepts either JSON or YAML formatted rules. Mutually - exclusive with service_account_name and kubernetes_role_name. - If set, the entire chain of Kubernetes objects will be generated - when credentials are requested. The Role or ClusterRole rules - to use when generating a role. Accepts either JSON or YAML formatted - rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. - If set, the entire chain of Kubernetes objects will be generated + description: |- + The Role or ClusterRole rules to use when generating + a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name + and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. + The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. type: string kubernetesRoleName: - description: The pre-existing Role or ClusterRole to bind a generated - service account to. Mutually exclusive with service_account_name - and generated_role_rules. If set, Kubernetes token, service - account, and role binding objects will be created when credentials - are requested. The pre-existing Role or ClusterRole to bind - a generated service account to. Mutually exclusive with 'service_account_name' - and 'generated_role_rules'. If set, Kubernetes token, service - account, and role binding objects will be created when credentials - are requested. + description: |- + The pre-existing Role or ClusterRole to bind a + generated service account to. Mutually exclusive with service_account_name and + generated_role_rules. If set, Kubernetes token, service account, and role + binding objects will be created when credentials are requested. + The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. type: string kubernetesRoleType: - description: Specifies whether the Kubernetes role is a Role or - ClusterRole. Specifies whether the Kubernetes role is a Role - or ClusterRole. + description: |- + Specifies whether the Kubernetes role is a Role or + ClusterRole. + Specifies whether the Kubernetes role is a Role or ClusterRole. type: string name: - description: The name of the role. The name of the role. + description: |- + The name of the role. + The name of the role. type: string nameTemplate: - description: The name template to use when generating service - accounts, roles and role bindings. If unset, a default template - is used. The name template to use when generating service accounts, + description: |- + The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. + The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string serviceAccountName: - description: The pre-existing service account to generate tokens - for. Mutually exclusive with kubernetes_role_name and generated_role_rules. - If set, only a Kubernetes token will be created when credentials - are requested. The pre-existing service account to generate - tokens for. Mutually exclusive with 'kubernetes_role_name' and - 'generated_role_rules'. If set, only a Kubernetes token will - be created when credentials are requested. + description: |- + The pre-existing service account to generate tokens for. + Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a + Kubernetes token will be created when credentials are requested. + The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested. type: string tokenDefaultTtl: - description: The default TTL for generated Kubernetes tokens in - seconds. The default TTL for generated Kubernetes tokens in - seconds. + description: |- + The default TTL for generated Kubernetes tokens in seconds. + The default TTL for generated Kubernetes tokens in seconds. type: number tokenMaxTtl: - description: The maximum TTL for generated Kubernetes tokens in - seconds. The maximum TTL for generated Kubernetes tokens in - seconds. + description: |- + The maximum TTL for generated Kubernetes tokens in seconds. + The maximum TTL for generated Kubernetes tokens in seconds. type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + allowedKubernetesNamespaceSelector: + description: |- + A label selector for Kubernetes namespaces + in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + of type LabelSelector. + If set with allowed_kubernetes_namespace, the conditions are ORed. + A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed. + type: string allowedKubernetesNamespaces: - description: The list of Kubernetes namespaces this role can generate - credentials for. If set to * all namespaces are allowed. The - list of Kubernetes namespaces this role can generate credentials - for. If set to '*' all namespaces are allowed. + description: |- + The list of Kubernetes namespaces this role + can generate credentials for. If set to * all namespaces are allowed. If set with + allowed_kubernetes_namespace_selector, the conditions are ORed. + The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed. items: type: string type: array backend: - description: The path of the Kubernetes Secrets Engine backend - mount to create the role in. The mount path for the Kubernetes - secrets engine. + description: |- + The path of the Kubernetes Secrets Engine backend mount to create + the role in. + The mount path for the Kubernetes secrets engine. type: string + backendRef: + description: Reference to a SecretBackend in kubernetes to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in kubernetes to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object extraAnnotations: additionalProperties: type: string - description: Additional annotations to apply to all generated - Kubernetes objects. Additional annotations to apply to all generated + description: |- + Additional annotations to apply to all generated Kubernetes objects. + Additional annotations to apply to all generated Kubernetes objects. type: object + x-kubernetes-map-type: granular extraLabels: additionalProperties: type: string - description: Additional labels to apply to all generated Kubernetes - objects. Additional labels to apply to all generated Kubernetes + description: |- + Additional labels to apply to all generated Kubernetes objects. + Additional labels to apply to all generated Kubernetes objects. type: object + x-kubernetes-map-type: granular generatedRoleRules: - description: The Role or ClusterRole rules to use when generating - a role. Accepts either JSON or YAML formatted rules. Mutually - exclusive with service_account_name and kubernetes_role_name. - If set, the entire chain of Kubernetes objects will be generated - when credentials are requested. The Role or ClusterRole rules - to use when generating a role. Accepts either JSON or YAML formatted - rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. - If set, the entire chain of Kubernetes objects will be generated + description: |- + The Role or ClusterRole rules to use when generating + a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name + and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. + The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. type: string kubernetesRoleName: - description: The pre-existing Role or ClusterRole to bind a generated - service account to. Mutually exclusive with service_account_name - and generated_role_rules. If set, Kubernetes token, service - account, and role binding objects will be created when credentials - are requested. The pre-existing Role or ClusterRole to bind - a generated service account to. Mutually exclusive with 'service_account_name' - and 'generated_role_rules'. If set, Kubernetes token, service - account, and role binding objects will be created when credentials - are requested. + description: |- + The pre-existing Role or ClusterRole to bind a + generated service account to. Mutually exclusive with service_account_name and + generated_role_rules. If set, Kubernetes token, service account, and role + binding objects will be created when credentials are requested. + The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. type: string kubernetesRoleType: - description: Specifies whether the Kubernetes role is a Role or - ClusterRole. Specifies whether the Kubernetes role is a Role - or ClusterRole. + description: |- + Specifies whether the Kubernetes role is a Role or + ClusterRole. + Specifies whether the Kubernetes role is a Role or ClusterRole. type: string name: - description: The name of the role. The name of the role. + description: |- + The name of the role. + The name of the role. type: string nameTemplate: - description: The name template to use when generating service - accounts, roles and role bindings. If unset, a default template - is used. The name template to use when generating service accounts, + description: |- + The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. + The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string serviceAccountName: - description: The pre-existing service account to generate tokens - for. Mutually exclusive with kubernetes_role_name and generated_role_rules. - If set, only a Kubernetes token will be created when credentials - are requested. The pre-existing service account to generate - tokens for. Mutually exclusive with 'kubernetes_role_name' and - 'generated_role_rules'. If set, only a Kubernetes token will - be created when credentials are requested. + description: |- + The pre-existing service account to generate tokens for. + Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a + Kubernetes token will be created when credentials are requested. + The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested. type: string tokenDefaultTtl: - description: The default TTL for generated Kubernetes tokens in - seconds. The default TTL for generated Kubernetes tokens in - seconds. + description: |- + The default TTL for generated Kubernetes tokens in seconds. + The default TTL for generated Kubernetes tokens in seconds. type: number tokenMaxTtl: - description: The maximum TTL for generated Kubernetes tokens in - seconds. The maximum TTL for generated Kubernetes tokens in - seconds. + description: |- + The maximum TTL for generated Kubernetes tokens in seconds. + The maximum TTL for generated Kubernetes tokens in seconds. type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -289,45 +468,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -337,21 +481,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -361,17 +505,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -381,21 +527,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -410,21 +556,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -435,14 +582,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -458,113 +606,115 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: allowedKubernetesNamespaces is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.allowedKubernetesNamespaces) - || has(self.initProvider.allowedKubernetesNamespaces)' - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: SecretBackendRoleStatus defines the observed state of SecretBackendRole. properties: atProvider: properties: + allowedKubernetesNamespaceSelector: + description: |- + A label selector for Kubernetes namespaces + in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + of type LabelSelector. + If set with allowed_kubernetes_namespace, the conditions are ORed. + A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed. + type: string allowedKubernetesNamespaces: - description: The list of Kubernetes namespaces this role can generate - credentials for. If set to * all namespaces are allowed. The - list of Kubernetes namespaces this role can generate credentials - for. If set to '*' all namespaces are allowed. + description: |- + The list of Kubernetes namespaces this role + can generate credentials for. If set to * all namespaces are allowed. If set with + allowed_kubernetes_namespace_selector, the conditions are ORed. + The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed. items: type: string type: array backend: - description: The path of the Kubernetes Secrets Engine backend - mount to create the role in. The mount path for the Kubernetes - secrets engine. + description: |- + The path of the Kubernetes Secrets Engine backend mount to create + the role in. + The mount path for the Kubernetes secrets engine. type: string extraAnnotations: additionalProperties: type: string - description: Additional annotations to apply to all generated - Kubernetes objects. Additional annotations to apply to all generated + description: |- + Additional annotations to apply to all generated Kubernetes objects. + Additional annotations to apply to all generated Kubernetes objects. type: object + x-kubernetes-map-type: granular extraLabels: additionalProperties: type: string - description: Additional labels to apply to all generated Kubernetes - objects. Additional labels to apply to all generated Kubernetes + description: |- + Additional labels to apply to all generated Kubernetes objects. + Additional labels to apply to all generated Kubernetes objects. type: object + x-kubernetes-map-type: granular generatedRoleRules: - description: The Role or ClusterRole rules to use when generating - a role. Accepts either JSON or YAML formatted rules. Mutually - exclusive with service_account_name and kubernetes_role_name. - If set, the entire chain of Kubernetes objects will be generated - when credentials are requested. The Role or ClusterRole rules - to use when generating a role. Accepts either JSON or YAML formatted - rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. - If set, the entire chain of Kubernetes objects will be generated + description: |- + The Role or ClusterRole rules to use when generating + a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name + and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. + The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. type: string id: type: string kubernetesRoleName: - description: The pre-existing Role or ClusterRole to bind a generated - service account to. Mutually exclusive with service_account_name - and generated_role_rules. If set, Kubernetes token, service - account, and role binding objects will be created when credentials - are requested. The pre-existing Role or ClusterRole to bind - a generated service account to. Mutually exclusive with 'service_account_name' - and 'generated_role_rules'. If set, Kubernetes token, service - account, and role binding objects will be created when credentials - are requested. + description: |- + The pre-existing Role or ClusterRole to bind a + generated service account to. Mutually exclusive with service_account_name and + generated_role_rules. If set, Kubernetes token, service account, and role + binding objects will be created when credentials are requested. + The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. type: string kubernetesRoleType: - description: Specifies whether the Kubernetes role is a Role or - ClusterRole. Specifies whether the Kubernetes role is a Role - or ClusterRole. + description: |- + Specifies whether the Kubernetes role is a Role or + ClusterRole. + Specifies whether the Kubernetes role is a Role or ClusterRole. type: string name: - description: The name of the role. The name of the role. + description: |- + The name of the role. + The name of the role. type: string nameTemplate: - description: The name template to use when generating service - accounts, roles and role bindings. If unset, a default template - is used. The name template to use when generating service accounts, + description: |- + The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. + The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string serviceAccountName: - description: The pre-existing service account to generate tokens - for. Mutually exclusive with kubernetes_role_name and generated_role_rules. - If set, only a Kubernetes token will be created when credentials - are requested. The pre-existing service account to generate - tokens for. Mutually exclusive with 'kubernetes_role_name' and - 'generated_role_rules'. If set, only a Kubernetes token will - be created when credentials are requested. + description: |- + The pre-existing service account to generate tokens for. + Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a + Kubernetes token will be created when credentials are requested. + The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested. type: string tokenDefaultTtl: - description: The default TTL for generated Kubernetes tokens in - seconds. The default TTL for generated Kubernetes tokens in - seconds. + description: |- + The default TTL for generated Kubernetes tokens in seconds. + The default TTL for generated Kubernetes tokens in seconds. type: number tokenMaxTtl: - description: The maximum TTL for generated Kubernetes tokens in - seconds. The maximum TTL for generated Kubernetes tokens in - seconds. + description: |- + The maximum TTL for generated Kubernetes tokens in seconds. + The maximum TTL for generated Kubernetes tokens in seconds. type: number type: object conditions: @@ -573,14 +723,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -590,8 +749,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -600,6 +760,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml b/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml index 51d3e4f6..e241e2c1 100644 --- a/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml +++ b/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackends.kubernetes.vault.upbound.io spec: group: kubernetes.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: a Kubernetes Secrets Engine in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -73,6 +79,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. @@ -89,33 +102,47 @@ spec: description: Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount type: string disableLocalCaJwt: - description: Disable defaulting to the local CA certificate and + description: |- + Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod. - Disable defaulting to the local CA certificate and service account - JWT when running in a Kubernetes pod. + Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod. type: boolean externalEntropyAccess: description: Enable the secrets engine to access Vault's external entropy source type: boolean + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string kubernetesCaCert: - description: A PEM-encoded CA certificate used by the secrets - engine to verify the Kubernetes API server certificate. Defaults - to the local pod’s CA if Vault is running in Kubernetes. Otherwise, - defaults to the root CA set where Vault is running. A PEM-encoded - CA certificate used by the secret engine to verify the Kubernetes - API server certificate. Defaults to the local pod’s CA if found, - or otherwise the host's root CA set. + description: |- + A PEM-encoded CA certificate used by the + secrets engine to verify the Kubernetes API server certificate. Defaults to the local + pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where + Vault is running. + A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set. type: string kubernetesHost: - description: The Kubernetes API URL to connect to. Required if - the standard pod environment variables KUBERNETES_SERVICE_HOST - or KUBERNETES_SERVICE_PORT are not set on the host that Vault - is running on. The Kubernetes API URL to connect to. + description: |- + The Kubernetes API URL to connect to. Required if the + standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT + are not set on the host that Vault is running on. + The Kubernetes API URL to connect to. + type: string + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint type: string local: description: Local mount flag that can be explicitly set to true @@ -126,11 +153,12 @@ spec: in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: @@ -138,20 +166,30 @@ spec: description: Specifies mount type specific options that are passed to the backend type: object + x-kubernetes-map-type: granular + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' + type: string sealWrap: description: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability type: boolean serviceAccountJwtSecretRef: - description: The JSON web token of the service account used by - the secrets engine to manage Kubernetes credentials. Defaults - to the local pod’s JWT if Vault is running in Kubernetes. The - JSON web token of the service account used by the secrets engine - to manage Kubernetes credentials. Defaults to the local pod’s - JWT if found. + description: |- + The JSON web token of the service account used by the + secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault + is running in Kubernetes. + The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found. properties: key: description: The key to select. @@ -169,17 +207,17 @@ spec: type: object type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowedManagedKeys: description: List of managed key registry entry names that the @@ -187,6 +225,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. @@ -203,33 +248,47 @@ spec: description: Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount type: string disableLocalCaJwt: - description: Disable defaulting to the local CA certificate and + description: |- + Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod. - Disable defaulting to the local CA certificate and service account - JWT when running in a Kubernetes pod. + Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod. type: boolean externalEntropyAccess: description: Enable the secrets engine to access Vault's external entropy source type: boolean + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string kubernetesCaCert: - description: A PEM-encoded CA certificate used by the secrets - engine to verify the Kubernetes API server certificate. Defaults - to the local pod’s CA if Vault is running in Kubernetes. Otherwise, - defaults to the root CA set where Vault is running. A PEM-encoded - CA certificate used by the secret engine to verify the Kubernetes - API server certificate. Defaults to the local pod’s CA if found, - or otherwise the host's root CA set. + description: |- + A PEM-encoded CA certificate used by the + secrets engine to verify the Kubernetes API server certificate. Defaults to the local + pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where + Vault is running. + A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set. type: string kubernetesHost: - description: The Kubernetes API URL to connect to. Required if - the standard pod environment variables KUBERNETES_SERVICE_HOST - or KUBERNETES_SERVICE_PORT are not set on the host that Vault - is running on. The Kubernetes API URL to connect to. + description: |- + The Kubernetes API URL to connect to. Required if the + standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT + are not set on the host that Vault is running on. + The Kubernetes API URL to connect to. + type: string + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint type: string local: description: Local mount flag that can be explicitly set to true @@ -240,11 +299,12 @@ spec: in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: @@ -252,31 +312,64 @@ spec: description: Specifies mount type specific options that are passed to the backend type: object + x-kubernetes-map-type: granular + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' + type: string sealWrap: description: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability type: boolean + serviceAccountJwtSecretRef: + description: |- + The JSON web token of the service account used by the + secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault + is running in Kubernetes. + The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -289,45 +382,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -337,21 +395,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -361,17 +419,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -381,21 +441,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -410,21 +470,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -435,14 +496,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -458,10 +520,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: path is a required parameter + - message: spec.forProvider.path is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.path))' status: description: SecretBackendStatus defines the observed state of SecretBackend. properties: @@ -476,6 +538,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. @@ -492,14 +561,20 @@ spec: description: Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount type: string disableLocalCaJwt: - description: Disable defaulting to the local CA certificate and + description: |- + Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod. - Disable defaulting to the local CA certificate and service account - JWT when running in a Kubernetes pod. + Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod. type: boolean externalEntropyAccess: description: Enable the secrets engine to access Vault's external @@ -507,20 +582,28 @@ spec: type: boolean id: type: string + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string kubernetesCaCert: - description: A PEM-encoded CA certificate used by the secrets - engine to verify the Kubernetes API server certificate. Defaults - to the local pod’s CA if Vault is running in Kubernetes. Otherwise, - defaults to the root CA set where Vault is running. A PEM-encoded - CA certificate used by the secret engine to verify the Kubernetes - API server certificate. Defaults to the local pod’s CA if found, - or otherwise the host's root CA set. + description: |- + A PEM-encoded CA certificate used by the + secrets engine to verify the Kubernetes API server certificate. Defaults to the local + pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where + Vault is running. + A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set. type: string kubernetesHost: - description: The Kubernetes API URL to connect to. Required if - the standard pod environment variables KUBERNETES_SERVICE_HOST - or KUBERNETES_SERVICE_PORT are not set on the host that Vault - is running on. The Kubernetes API URL to connect to. + description: |- + The Kubernetes API URL to connect to. Required if the + standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT + are not set on the host that Vault is running on. + The Kubernetes API URL to connect to. + type: string + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint type: string local: description: Local mount flag that can be explicitly set to true @@ -531,11 +614,12 @@ spec: in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: @@ -543,9 +627,20 @@ spec: description: Specifies mount type specific options that are passed to the backend type: object + x-kubernetes-map-type: granular + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' + type: string sealWrap: description: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability @@ -557,14 +652,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -574,8 +678,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -584,6 +689,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/kv.vault.upbound.io_secretbackendv2s.yaml b/package/crds/kv.vault.upbound.io_secretbackendv2s.yaml index b0cfa6b4..48abc2f6 100644 --- a/package/crds/kv.vault.upbound.io_secretbackendv2s.yaml +++ b/package/crds/kv.vault.upbound.io_secretbackendv2s.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendv2s.kv.vault.upbound.io spec: group: kv.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -39,14 +39,19 @@ spec: store. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,13 +60,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -69,87 +75,246 @@ spec: forProvider: properties: casRequired: - description: If true, all keys will require the cas parameter - to be set on all write requests. If true, all keys will require - the cas parameter to be set on all write requests. + description: |- + If true, all keys will require the cas + parameter to be set on all write requests. + If true, all keys will require the cas parameter to be set on all write requests. type: boolean deleteVersionAfter: - description: If set, specifies the length of time before a version - is deleted. Accepts duration in integer seconds. If set, specifies - the length of time before a version is deleted + description: |- + If set, specifies the length of time before + a version is deleted. Accepts duration in integer seconds. + If set, specifies the length of time before a version is deleted type: number maxVersions: - description: The number of versions to keep per key. The number - of versions to keep per key. + description: |- + The number of versions to keep per key. + The number of versions to keep per key. type: number mount: - description: Path where KV-V2 engine is mounted. Path where KV-V2 - engine is mounted. + description: |- + Path where KV-V2 engine is mounted. + Path where KV-V2 engine is mounted. type: string + mountRef: + description: Reference to a Mount in vault to populate mount. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountSelector: + description: Selector for a Mount in vault to populate mount. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: casRequired: - description: If true, all keys will require the cas parameter - to be set on all write requests. If true, all keys will require - the cas parameter to be set on all write requests. + description: |- + If true, all keys will require the cas + parameter to be set on all write requests. + If true, all keys will require the cas parameter to be set on all write requests. type: boolean deleteVersionAfter: - description: If set, specifies the length of time before a version - is deleted. Accepts duration in integer seconds. If set, specifies - the length of time before a version is deleted + description: |- + If set, specifies the length of time before + a version is deleted. Accepts duration in integer seconds. + If set, specifies the length of time before a version is deleted type: number maxVersions: - description: The number of versions to keep per key. The number - of versions to keep per key. + description: |- + The number of versions to keep per key. + The number of versions to keep per key. type: number mount: - description: Path where KV-V2 engine is mounted. Path where KV-V2 - engine is mounted. + description: |- + Path where KV-V2 engine is mounted. + Path where KV-V2 engine is mounted. type: string + mountRef: + description: Reference to a Mount in vault to populate mount. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountSelector: + description: Selector for a Mount in vault to populate mount. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -162,45 +327,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -210,21 +340,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -234,17 +364,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -254,21 +386,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -283,21 +415,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -308,14 +441,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -330,42 +464,42 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: mount is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.mount) - || has(self.initProvider.mount)' status: description: SecretBackendV2Status defines the observed state of SecretBackendV2. properties: atProvider: properties: casRequired: - description: If true, all keys will require the cas parameter - to be set on all write requests. If true, all keys will require - the cas parameter to be set on all write requests. + description: |- + If true, all keys will require the cas + parameter to be set on all write requests. + If true, all keys will require the cas parameter to be set on all write requests. type: boolean deleteVersionAfter: - description: If set, specifies the length of time before a version - is deleted. Accepts duration in integer seconds. If set, specifies - the length of time before a version is deleted + description: |- + If set, specifies the length of time before + a version is deleted. Accepts duration in integer seconds. + If set, specifies the length of time before a version is deleted type: number id: type: string maxVersions: - description: The number of versions to keep per key. The number - of versions to keep per key. + description: |- + The number of versions to keep per key. + The number of versions to keep per key. type: number mount: - description: Path where KV-V2 engine is mounted. Path where KV-V2 - engine is mounted. + description: |- + Path where KV-V2 engine is mounted. + Path where KV-V2 engine is mounted. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -374,14 +508,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -391,8 +534,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -401,6 +545,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/kv.vault.upbound.io_secrets.yaml b/package/crds/kv.vault.upbound.io_secrets.yaml index 8dd786c2..36251471 100644 --- a/package/crds/kv.vault.upbound.io_secrets.yaml +++ b/package/crds/kv.vault.upbound.io_secrets.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secrets.kv.vault.upbound.io spec: group: kv.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: to a given path in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,8 +74,10 @@ spec: forProvider: properties: dataJsonSecretRef: - description: JSON-encoded string that will be written as the secret - data at the given path. JSON-encoded secret data to write. + description: |- + JSON-encoded string that will be + written as the secret data at the given path. + JSON-encoded secret data to write. properties: key: description: The key to select. @@ -86,59 +94,86 @@ spec: - namespace type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Full path of the KV-V1 secret. Full path of the KV-V1 - secret. + description: |- + Full path of the KV-V1 secret. + Full path of the KV-V1 secret. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + dataJsonSecretRef: + description: |- + JSON-encoded string that will be + written as the secret data at the given path. + JSON-encoded secret data to write. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Full path of the KV-V1 secret. Full path of the KV-V1 - secret. + description: |- + Full path of the KV-V1 secret. + Full path of the KV-V1 secret. type: string + required: + - dataJsonSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -151,45 +186,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -199,21 +199,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -223,17 +223,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -243,21 +245,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -272,21 +274,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -297,14 +300,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -320,13 +324,13 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: dataJsonSecretRef is a required parameter + - message: spec.forProvider.dataJsonSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)' - - message: path is a required parameter + - message: spec.forProvider.path is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.path))' status: description: SecretStatus defines the observed state of Secret. properties: @@ -335,15 +339,17 @@ spec: id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Full path of the KV-V1 secret. Full path of the KV-V1 - secret. + description: |- + Full path of the KV-V1 secret. + Full path of the KV-V1 secret. type: string type: object conditions: @@ -352,14 +358,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -369,8 +384,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -379,6 +395,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/kv.vault.upbound.io_secretv2s.yaml b/package/crds/kv.vault.upbound.io_secretv2s.yaml index 338f4345..ad3495e7 100644 --- a/package/crds/kv.vault.upbound.io_secretv2s.yaml +++ b/package/crds/kv.vault.upbound.io_secretv2s.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretv2s.kv.vault.upbound.io spec: group: kv.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: secret to a given path in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,47 +74,53 @@ spec: forProvider: properties: cas: - description: This flag is required if cas_required is set to true + description: |- + This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a - write operation to be successful, cas must be set to the current - version of the secret. This flag is required if cas_required - is set to true on either the secret or the engine's config. - In order for a write to be successful, cas must be set to the - current version of the secret. + write operation to be successful, cas must be set to the current version + of the secret. + This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret. type: number customMetadata: - description: A nested block that allows configuring metadata for - the KV secret. Refer to the Configuration Options for more info. + description: |- + A nested block that allows configuring metadata for the + KV secret. Refer to the + Configuration Options for more info. Custom metadata to be set for the secret. items: properties: casRequired: - description: If true, all keys will require the cas parameter - to be set on all write requests. If true, all keys will - require the cas parameter to be set on all write requests. + description: |- + If true, all keys will require the cas + parameter to be set on all write requests. + If true, all keys will require the cas parameter to be set on all write requests. type: boolean data: additionalProperties: type: string - description: A string to string map describing the secret. - A map of arbitrary string to string valued user-provided - metadata meant to describe the secret. + description: |- + A string to string map describing the secret. + A map of arbitrary string to string valued user-provided metadata meant to describe the secret. type: object + x-kubernetes-map-type: granular deleteVersionAfter: - description: If set, specifies the length of time before + description: |- + If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds. - If set, specifies the length of time before a version - is deleted. + If set, specifies the length of time before a version is deleted. type: number maxVersions: - description: The number of versions to keep per key. The - number of versions to keep per key. + description: |- + The number of versions to keep per key. + The number of versions to keep per key. type: number type: object type: array dataJsonSecretRef: - description: JSON-encoded string that will be written as the secret - data at the given path. JSON-encoded secret data to write. + description: |- + JSON-encoded string that will be + written as the secret data at the given path. + JSON-encoded secret data to write. properties: key: description: The key to select. @@ -125,148 +137,333 @@ spec: - namespace type: object deleteAllVersions: - description: If set to true, permanently deletes all versions - for the specified key. If set to true, permanently deletes all + description: |- + If set to true, permanently deletes all versions for the specified key. + If set to true, permanently deletes all versions for the specified key. type: boolean disableRead: - description: 'If set to true, disables reading secret from Vault; - note: drift won''t be detected. If set to true, disables reading - secret from Vault; note: drift won''t be detected.' + description: |- + If set to true, disables reading secret from Vault; + note: drift won't be detected. + If set to true, disables reading secret from Vault; note: drift won't be detected. type: boolean mount: - description: Path where KV-V2 engine is mounted. Path where KV-V2 - engine is mounted. + description: |- + Path where KV-V2 engine is mounted. + Path where KV-V2 engine is mounted. type: string + mountRef: + description: Reference to a Mount in vault to populate mount. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountSelector: + description: Selector for a Mount in vault to populate mount. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: Full name of the secret. For a nested secret the - name is the nested path excluding the mount and data prefix. - For example, for a secret at kvv2/data/foo/bar/baz the name - is foo/bar/baz. Full name of the secret. For a nested secret, - the name is the nested path excluding the mount and data prefix. - For example, for a secret at 'kvv2/data/foo/bar/baz', the name - is 'foo/bar/baz' + description: |- + Full name of the secret. For a nested secret + the name is the nested path excluding the mount and data + prefix. For example, for a secret at kvv2/data/foo/bar/baz + the name is foo/bar/baz. + Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz' type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: type: string - description: An object that holds option settings. An object that - holds option settings. + description: |- + An object that holds option settings. + An object that holds option settings. type: object + x-kubernetes-map-type: granular type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: cas: - description: This flag is required if cas_required is set to true + description: |- + This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a - write operation to be successful, cas must be set to the current - version of the secret. This flag is required if cas_required - is set to true on either the secret or the engine's config. - In order for a write to be successful, cas must be set to the - current version of the secret. + write operation to be successful, cas must be set to the current version + of the secret. + This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret. type: number customMetadata: - description: A nested block that allows configuring metadata for - the KV secret. Refer to the Configuration Options for more info. + description: |- + A nested block that allows configuring metadata for the + KV secret. Refer to the + Configuration Options for more info. Custom metadata to be set for the secret. items: properties: casRequired: - description: If true, all keys will require the cas parameter - to be set on all write requests. If true, all keys will - require the cas parameter to be set on all write requests. + description: |- + If true, all keys will require the cas + parameter to be set on all write requests. + If true, all keys will require the cas parameter to be set on all write requests. type: boolean data: additionalProperties: type: string - description: A string to string map describing the secret. - A map of arbitrary string to string valued user-provided - metadata meant to describe the secret. + description: |- + A string to string map describing the secret. + A map of arbitrary string to string valued user-provided metadata meant to describe the secret. type: object + x-kubernetes-map-type: granular deleteVersionAfter: - description: If set, specifies the length of time before + description: |- + If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds. - If set, specifies the length of time before a version - is deleted. + If set, specifies the length of time before a version is deleted. type: number maxVersions: - description: The number of versions to keep per key. The - number of versions to keep per key. + description: |- + The number of versions to keep per key. + The number of versions to keep per key. type: number type: object type: array + dataJsonSecretRef: + description: |- + JSON-encoded string that will be + written as the secret data at the given path. + JSON-encoded secret data to write. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object deleteAllVersions: - description: If set to true, permanently deletes all versions - for the specified key. If set to true, permanently deletes all + description: |- + If set to true, permanently deletes all versions for the specified key. + If set to true, permanently deletes all versions for the specified key. type: boolean disableRead: - description: 'If set to true, disables reading secret from Vault; - note: drift won''t be detected. If set to true, disables reading - secret from Vault; note: drift won''t be detected.' + description: |- + If set to true, disables reading secret from Vault; + note: drift won't be detected. + If set to true, disables reading secret from Vault; note: drift won't be detected. type: boolean mount: - description: Path where KV-V2 engine is mounted. Path where KV-V2 - engine is mounted. + description: |- + Path where KV-V2 engine is mounted. + Path where KV-V2 engine is mounted. type: string + mountRef: + description: Reference to a Mount in vault to populate mount. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountSelector: + description: Selector for a Mount in vault to populate mount. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: Full name of the secret. For a nested secret the - name is the nested path excluding the mount and data prefix. - For example, for a secret at kvv2/data/foo/bar/baz the name - is foo/bar/baz. Full name of the secret. For a nested secret, - the name is the nested path excluding the mount and data prefix. - For example, for a secret at 'kvv2/data/foo/bar/baz', the name - is 'foo/bar/baz' + description: |- + Full name of the secret. For a nested secret + the name is the nested path excluding the mount and data + prefix. For example, for a secret at kvv2/data/foo/bar/baz + the name is foo/bar/baz. + Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz' type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: type: string - description: An object that holds option settings. An object that - holds option settings. + description: |- + An object that holds option settings. + An object that holds option settings. type: object + x-kubernetes-map-type: granular + required: + - dataJsonSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -279,45 +476,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -327,21 +489,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -351,17 +513,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -371,21 +535,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -400,21 +564,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -425,14 +590,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -448,107 +614,115 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: dataJsonSecretRef is a required parameter + - message: spec.forProvider.dataJsonSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.dataJsonSecretRef)' - - message: mount is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.mount) - || has(self.initProvider.mount)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: SecretV2Status defines the observed state of SecretV2. properties: atProvider: properties: cas: - description: This flag is required if cas_required is set to true + description: |- + This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a - write operation to be successful, cas must be set to the current - version of the secret. This flag is required if cas_required - is set to true on either the secret or the engine's config. - In order for a write to be successful, cas must be set to the - current version of the secret. + write operation to be successful, cas must be set to the current version + of the secret. + This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret. type: number customMetadata: - description: A nested block that allows configuring metadata for - the KV secret. Refer to the Configuration Options for more info. + description: |- + A nested block that allows configuring metadata for the + KV secret. Refer to the + Configuration Options for more info. Custom metadata to be set for the secret. items: properties: casRequired: - description: If true, all keys will require the cas parameter - to be set on all write requests. If true, all keys will - require the cas parameter to be set on all write requests. + description: |- + If true, all keys will require the cas + parameter to be set on all write requests. + If true, all keys will require the cas parameter to be set on all write requests. type: boolean data: additionalProperties: type: string - description: A string to string map describing the secret. - A map of arbitrary string to string valued user-provided - metadata meant to describe the secret. + description: |- + A string to string map describing the secret. + A map of arbitrary string to string valued user-provided metadata meant to describe the secret. type: object + x-kubernetes-map-type: granular deleteVersionAfter: - description: If set, specifies the length of time before + description: |- + If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds. - If set, specifies the length of time before a version - is deleted. + If set, specifies the length of time before a version is deleted. type: number maxVersions: - description: The number of versions to keep per key. The - number of versions to keep per key. + description: |- + The number of versions to keep per key. + The number of versions to keep per key. type: number type: object type: array deleteAllVersions: - description: If set to true, permanently deletes all versions - for the specified key. If set to true, permanently deletes all + description: |- + If set to true, permanently deletes all versions for the specified key. + If set to true, permanently deletes all versions for the specified key. type: boolean disableRead: - description: 'If set to true, disables reading secret from Vault; - note: drift won''t be detected. If set to true, disables reading - secret from Vault; note: drift won''t be detected.' + description: |- + If set to true, disables reading secret from Vault; + note: drift won't be detected. + If set to true, disables reading secret from Vault; note: drift won't be detected. type: boolean id: type: string metadata: additionalProperties: type: string - description: Metadata associated with this secret read from Vault. + description: |- + Metadata associated with this secret read from Vault. Metadata associated with this secret read from Vault. type: object + x-kubernetes-map-type: granular mount: - description: Path where KV-V2 engine is mounted. Path where KV-V2 - engine is mounted. + description: |- + Path where KV-V2 engine is mounted. + Path where KV-V2 engine is mounted. type: string name: - description: Full name of the secret. For a nested secret the - name is the nested path excluding the mount and data prefix. - For example, for a secret at kvv2/data/foo/bar/baz the name - is foo/bar/baz. Full name of the secret. For a nested secret, - the name is the nested path excluding the mount and data prefix. - For example, for a secret at 'kvv2/data/foo/bar/baz', the name - is 'foo/bar/baz' + description: |- + Full name of the secret. For a nested secret + the name is the nested path excluding the mount and data + prefix. For example, for a secret at kvv2/data/foo/bar/baz + the name is foo/bar/baz. + Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz' type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: type: string - description: An object that holds option settings. An object that - holds option settings. + description: |- + An object that holds option settings. + An object that holds option settings. type: object + x-kubernetes-map-type: granular path: - description: Full path where the KV-V2 secret will be written. + description: |- + Full path where the KV-V2 secret will be written. Full path where the KV-V2 secret will be written. type: string type: object @@ -558,14 +732,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -575,8 +758,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -585,6 +769,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/ldap.vault.upbound.io_authbackendgroups.yaml b/package/crds/ldap.vault.upbound.io_authbackendgroups.yaml index 1b859b43..1013b4cf 100644 --- a/package/crds/ldap.vault.upbound.io_authbackendgroups.yaml +++ b/package/crds/ldap.vault.upbound.io_authbackendgroups.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendgroups.ldap.vault.upbound.io spec: group: ldap.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -78,19 +84,20 @@ spec: items: type: string type: array + x-kubernetes-list-type: set type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: type: string @@ -103,24 +110,26 @@ spec: items: type: string type: array + x-kubernetes-list-type: set type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -133,45 +142,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -181,21 +155,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -205,17 +179,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -225,21 +201,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -254,21 +230,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -279,14 +256,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -302,10 +280,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: groupname is a required parameter + - message: spec.forProvider.groupname is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.groupname) - || has(self.initProvider.groupname)' + || (has(self.initProvider) && has(self.initProvider.groupname))' status: description: AuthBackendGroupStatus defines the observed state of AuthBackendGroup. properties: @@ -324,6 +302,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set type: object conditions: description: Conditions of the resource. @@ -331,14 +310,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -348,8 +336,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -358,6 +347,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/ldap.vault.upbound.io_authbackends.yaml b/package/crds/ldap.vault.upbound.io_authbackends.yaml index 9eb95415..e722b25e 100644 --- a/package/crds/ldap.vault.upbound.io_authbackends.yaml +++ b/package/crds/ldap.vault.upbound.io_authbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackends.ldap.vault.upbound.io spec: group: ldap.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -37,14 +37,19 @@ spec: description: AuthBackend is the Schema for the AuthBackends API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,13 +58,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -149,6 +155,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: description: Generated Token's Explicit Maximum TTL in seconds type: number @@ -171,6 +178,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenTtl: description: The initial ttl of the token to generate in seconds type: number @@ -195,26 +203,62 @@ spec: type: boolean type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: binddn: type: string + bindpassSecretRef: + description: A SecretKeySelector is a reference to a secret key + in an arbitrary namespace. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object caseSensitiveNames: type: boolean certificate: type: string clientTlsCert: type: string + clientTlsKeySecretRef: + description: A SecretKeySelector is a reference to a secret key + in an arbitrary namespace. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object denyNullBind: type: boolean description: @@ -254,6 +298,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: description: Generated Token's Explicit Maximum TTL in seconds type: number @@ -276,6 +321,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenTtl: description: The initial ttl of the token to generate in seconds type: number @@ -302,20 +348,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -328,45 +375,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -376,21 +388,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -400,17 +412,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -420,21 +434,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -449,21 +463,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -474,14 +489,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -497,10 +513,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: url is a required parameter + - message: spec.forProvider.url is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.url) - || has(self.initProvider.url)' + || (has(self.initProvider) && has(self.initProvider.url))' status: description: AuthBackendStatus defines the observed state of AuthBackend. properties: @@ -558,6 +574,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: description: Generated Token's Explicit Maximum TTL in seconds type: number @@ -580,6 +597,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenTtl: description: The initial ttl of the token to generate in seconds type: number @@ -609,14 +627,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -626,8 +653,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -636,6 +664,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/ldap.vault.upbound.io_authbackendusers.yaml b/package/crds/ldap.vault.upbound.io_authbackendusers.yaml index 20f5e97b..a29c13a1 100644 --- a/package/crds/ldap.vault.upbound.io_authbackendusers.yaml +++ b/package/crds/ldap.vault.upbound.io_authbackendusers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendusers.ldap.vault.upbound.io spec: group: ldap.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: value> properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -73,6 +79,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set namespace: description: Target namespace. (requires Enterprise) type: string @@ -80,21 +87,22 @@ spec: items: type: string type: array + x-kubernetes-list-type: set username: type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: type: string @@ -102,6 +110,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set namespace: description: Target namespace. (requires Enterprise) type: string @@ -109,26 +118,28 @@ spec: items: type: string type: array + x-kubernetes-list-type: set username: type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -141,45 +152,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -189,21 +165,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -213,17 +189,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -233,21 +211,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -262,21 +240,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -287,14 +266,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -310,10 +290,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: username is a required parameter + - message: spec.forProvider.username is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.username) - || has(self.initProvider.username)' + || (has(self.initProvider) && has(self.initProvider.username))' status: description: AuthBackendUserStatus defines the observed state of AuthBackendUser. properties: @@ -325,6 +305,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set id: type: string namespace: @@ -334,6 +315,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set username: type: string type: object @@ -343,14 +325,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -360,8 +351,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -370,6 +362,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/managed.vault.upbound.io_keys.yaml b/package/crds/managed.vault.upbound.io_keys.yaml index 5d8aed2e..c7c54dcc 100644 --- a/package/crds/managed.vault.upbound.io_keys.yaml +++ b/package/crds/managed.vault.upbound.io_keys.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: keys.managed.vault.upbound.io spec: group: managed.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -72,74 +78,76 @@ spec: items: properties: accessKey: - description: The AWS access key to use. The AWS access key - to use + description: |- + The AWS access key to use. + The AWS access key to use type: string allowGenerateKey: - description: If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend. If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend + description: |- + If no existing key can be found in + the referenced backend, instructs Vault to generate a key within the backend. + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend type: boolean allowReplaceKey: - description: Controls the ability for Vault to replace through - generation or importing a key into the configured backend - even if a key is present, if set to false those operations - are forbidden if a key exists. Controls the ability for - Vault to replace through generation or importing a key - into the configured backend even if a key is present, - if set to false those operations are forbidden if a key - exists. + description: |- + Controls the ability for Vault to replace through + generation or importing a key into the configured backend even + if a key is present, if set to false those operations are forbidden + if a key exists. + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. type: boolean allowStoreKey: - description: Controls the ability for Vault to import a - key to the configured backend, if false, those operations - will be forbidden. Controls the ability for Vault to import - a key to the configured backend, if 'false', those operations - will be forbidden + description: |- + Controls the ability for Vault to import a key to the + configured backend, if false, those operations will be forbidden. + Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden type: boolean anyMount: - description: If true, allows usage from any mount point - within the namespace. Allow usage from any mount point - within the namespace if 'true' + description: |- + If true, allows usage from any mount point within the + namespace. + Allow usage from any mount point within the namespace if 'true' type: boolean curve: - description: The curve to use for an ECDSA key. Used when - key_type is ECDSA. Required if allow_generate_key is true. + description: |- The curve to use for an ECDSA key. Used when key_type - is 'ECDSA'. Required if 'allow_generate_key' is true + is ECDSA. Required if allow_generate_key is true. + The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true type: string endpoint: - description: Used to specify a custom AWS endpoint. Used - to specify a custom AWS endpoint + description: |- + Used to specify a custom AWS endpoint. + Used to specify a custom AWS endpoint type: string keyBits: - description: The size in bits for an RSA key. The size in - bits for an RSA key. This field is required when 'key_type' - is 'RSA' + description: |- + The size in bits for an RSA key. + The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' type: string keyType: - description: The type of key to use. The type of key to - use + description: |- + The type of key to use. + The type of key to use type: string kmsKey: - description: An identifier for the key. An identifier for - the key + description: |- + An identifier for the key. + An identifier for the key type: string name: - description: A unique lowercase name that serves as identifying - the key. A unique lowercase name that serves as identifying - the key + description: |- + A unique lowercase name that serves as identifying the key. + A unique lowercase name that serves as identifying the key type: string region: - description: The AWS region where the keys are stored (or - will be stored). The AWS region where the keys are stored - (or will be stored) + description: |- + The AWS region where the keys are stored (or will be stored). + The AWS region where the keys are stored (or will be stored) type: string secretKey: - description: The AWS access key to use. The AWS secret key - to use + description: |- + The AWS access key to use. + The AWS secret key to use type: string type: object type: array @@ -148,268 +156,272 @@ spec: items: properties: allowGenerateKey: - description: If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend. If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend + description: |- + If no existing key can be found in + the referenced backend, instructs Vault to generate a key within the backend. + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend type: boolean allowReplaceKey: - description: Controls the ability for Vault to replace through - generation or importing a key into the configured backend - even if a key is present, if set to false those operations - are forbidden if a key exists. Controls the ability for - Vault to replace through generation or importing a key - into the configured backend even if a key is present, - if set to false those operations are forbidden if a key - exists. + description: |- + Controls the ability for Vault to replace through + generation or importing a key into the configured backend even + if a key is present, if set to false those operations are forbidden + if a key exists. + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. type: boolean allowStoreKey: - description: Controls the ability for Vault to import a - key to the configured backend, if false, those operations - will be forbidden. Controls the ability for Vault to import - a key to the configured backend, if 'false', those operations - will be forbidden + description: |- + Controls the ability for Vault to import a key to the + configured backend, if false, those operations will be forbidden. + Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden type: boolean anyMount: - description: If true, allows usage from any mount point - within the namespace. Allow usage from any mount point - within the namespace if 'true' + description: |- + If true, allows usage from any mount point within the + namespace. + Allow usage from any mount point within the namespace if 'true' type: boolean clientId: - description: The client id for credentials to query the - Azure APIs. The client id for credentials to query the - Azure APIs + description: |- + The client id for credentials to query the Azure APIs. + The client id for credentials to query the Azure APIs type: string clientSecret: - description: The client secret for credentials to query - the Azure APIs. The client secret for credentials to query - the Azure APIs + description: |- + The client secret for credentials to query the Azure APIs. + The client secret for credentials to query the Azure APIs type: string environment: - description: The Azure Cloud environment API endpoints to - use. The Azure Cloud environment API endpoints to use + description: |- + The Azure Cloud environment API endpoints to use. + The Azure Cloud environment API endpoints to use type: string keyBits: - description: The size in bits for an RSA key. The size in - bits for an RSA key. This field is required when 'key_type' - is 'RSA' or when 'allow_generate_key' is true + description: |- + The size in bits for an RSA key. + The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true type: string keyName: - description: The Key Vault key to use for encryption and - decryption. The Key Vault key to use for encryption and - decryption + description: |- + The Key Vault key to use for encryption and decryption. + The Key Vault key to use for encryption and decryption type: string keyType: - description: The type of key to use. The type of key to - use + description: |- + The type of key to use. + The type of key to use type: string name: - description: A unique lowercase name that serves as identifying - the key. A unique lowercase name that serves as identifying - the key + description: |- + A unique lowercase name that serves as identifying the key. + A unique lowercase name that serves as identifying the key type: string resource: - description: The Azure Key Vault resource's DNS Suffix to - connect to. The Azure Key Vault resource's DNS Suffix - to connect to + description: |- + The Azure Key Vault resource's DNS Suffix to connect to. + The Azure Key Vault resource's DNS Suffix to connect to type: string tenantId: - description: The tenant id for the Azure Active Directory - organization. The tenant id for the Azure Active Directory - organization + description: |- + The tenant id for the Azure Active Directory organization. + The tenant id for the Azure Active Directory organization type: string vaultName: - description: The Key Vault vault to use for encryption and - decryption. The Key Vault vault to use the encryption - keys for encryption and decryption + description: |- + The Key Vault vault to use for encryption and decryption. + The Key Vault vault to use the encryption keys for encryption and decryption type: string type: object type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pkcs: description: Configuration block for PKCS Managed Keys items: properties: allowGenerateKey: - description: If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend. If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend + description: |- + If no existing key can be found in + the referenced backend, instructs Vault to generate a key within the backend. + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend type: boolean allowReplaceKey: - description: Controls the ability for Vault to replace through - generation or importing a key into the configured backend - even if a key is present, if set to false those operations - are forbidden if a key exists. Controls the ability for - Vault to replace through generation or importing a key - into the configured backend even if a key is present, - if set to false those operations are forbidden if a key - exists. + description: |- + Controls the ability for Vault to replace through + generation or importing a key into the configured backend even + if a key is present, if set to false those operations are forbidden + if a key exists. + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. type: boolean allowStoreKey: - description: Controls the ability for Vault to import a - key to the configured backend, if false, those operations - will be forbidden. Controls the ability for Vault to import - a key to the configured backend, if 'false', those operations - will be forbidden + description: |- + Controls the ability for Vault to import a key to the + configured backend, if false, those operations will be forbidden. + Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden type: boolean anyMount: - description: If true, allows usage from any mount point - within the namespace. Allow usage from any mount point - within the namespace if 'true' + description: |- + If true, allows usage from any mount point within the + namespace. + Allow usage from any mount point within the namespace if 'true' type: boolean curve: - description: The curve to use for an ECDSA key. Used when - key_type is ECDSA. Required if allow_generate_key is true. - Supplies the curve value when using the 'CKM_ECDSA' mechanism. - Required if 'allow_generate_key' is true + description: |- + The curve to use for an ECDSA key. Used when key_type + is ECDSA. Required if allow_generate_key is true. + Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true type: string forceRwSession: - description: Force all operations to open up a read-write - session to the HSM. Force all operations to open up a - read-write session to the HSM + description: |- + Force all operations to open up a read-write session to + the HSM. + Force all operations to open up a read-write session to the HSM type: string keyBits: - description: The size in bits for an RSA key. Supplies the - size in bits of the key when using 'CKM_RSA_PKCS_PSS', - 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. - Required if 'allow_generate_key' is true + description: |- + The size in bits for an RSA key. + Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true type: string keyId: - description: The id of a PKCS#11 key to use. The id of a - PKCS#11 key to use + description: |- + The id of a PKCS#11 key to use. + The id of a PKCS#11 key to use type: string keyLabel: - description: The label of the key to use. The label of the - key to use + description: |- + The label of the key to use. + The label of the key to use type: string library: - description: The name of the kms_library stanza to use from - Vault's config to lookup the local library path. The name - of the kms_library stanza to use from Vault's config to - lookup the local library path + description: |- + The name of the kms_library stanza to use from Vault's config + to lookup the local library path. + The name of the kms_library stanza to use from Vault's config to lookup the local library path type: string mechanism: - description: The encryption/decryption mechanism to use, - specified as a hexadecimal (prefixed by 0x) string. The - encryption/decryption mechanism to use, specified as a + description: |- + The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. + The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. type: string name: - description: A unique lowercase name that serves as identifying - the key. A unique lowercase name that serves as identifying - the key + description: |- + A unique lowercase name that serves as identifying the key. + A unique lowercase name that serves as identifying the key type: string pin: - description: The PIN for login. The PIN for login + description: |- + The PIN for login. + The PIN for login type: string slot: - description: The slot number to use, specified as a string - in a decimal format (e.g. 2305843009213693953). The slot - number to use, specified as a string in a decimal format - (e.g. '2305843009213693953') + description: |- + The slot number to use, specified as a string in a decimal format + (e.g. 2305843009213693953). + The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953') type: string tokenLabel: - description: The slot token label to use. The slot token - label to use + description: |- + The slot token label to use. + The slot token label to use type: string type: object type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: aws: description: Configuration block for AWS Managed Keys items: properties: accessKey: - description: The AWS access key to use. The AWS access key - to use + description: |- + The AWS access key to use. + The AWS access key to use type: string allowGenerateKey: - description: If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend. If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend + description: |- + If no existing key can be found in + the referenced backend, instructs Vault to generate a key within the backend. + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend type: boolean allowReplaceKey: - description: Controls the ability for Vault to replace through - generation or importing a key into the configured backend - even if a key is present, if set to false those operations - are forbidden if a key exists. Controls the ability for - Vault to replace through generation or importing a key - into the configured backend even if a key is present, - if set to false those operations are forbidden if a key - exists. + description: |- + Controls the ability for Vault to replace through + generation or importing a key into the configured backend even + if a key is present, if set to false those operations are forbidden + if a key exists. + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. type: boolean allowStoreKey: - description: Controls the ability for Vault to import a - key to the configured backend, if false, those operations - will be forbidden. Controls the ability for Vault to import - a key to the configured backend, if 'false', those operations - will be forbidden + description: |- + Controls the ability for Vault to import a key to the + configured backend, if false, those operations will be forbidden. + Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden type: boolean anyMount: - description: If true, allows usage from any mount point - within the namespace. Allow usage from any mount point - within the namespace if 'true' + description: |- + If true, allows usage from any mount point within the + namespace. + Allow usage from any mount point within the namespace if 'true' type: boolean curve: - description: The curve to use for an ECDSA key. Used when - key_type is ECDSA. Required if allow_generate_key is true. + description: |- The curve to use for an ECDSA key. Used when key_type - is 'ECDSA'. Required if 'allow_generate_key' is true + is ECDSA. Required if allow_generate_key is true. + The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true type: string endpoint: - description: Used to specify a custom AWS endpoint. Used - to specify a custom AWS endpoint + description: |- + Used to specify a custom AWS endpoint. + Used to specify a custom AWS endpoint type: string keyBits: - description: The size in bits for an RSA key. The size in - bits for an RSA key. This field is required when 'key_type' - is 'RSA' + description: |- + The size in bits for an RSA key. + The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' type: string keyType: - description: The type of key to use. The type of key to - use + description: |- + The type of key to use. + The type of key to use type: string kmsKey: - description: An identifier for the key. An identifier for - the key + description: |- + An identifier for the key. + An identifier for the key type: string name: - description: A unique lowercase name that serves as identifying - the key. A unique lowercase name that serves as identifying - the key + description: |- + A unique lowercase name that serves as identifying the key. + A unique lowercase name that serves as identifying the key type: string region: - description: The AWS region where the keys are stored (or - will be stored). The AWS region where the keys are stored - (or will be stored) + description: |- + The AWS region where the keys are stored (or will be stored). + The AWS region where the keys are stored (or will be stored) type: string secretKey: - description: The AWS access key to use. The AWS secret key - to use + description: |- + The AWS access key to use. + The AWS secret key to use type: string type: object type: array @@ -418,178 +430,180 @@ spec: items: properties: allowGenerateKey: - description: If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend. If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend + description: |- + If no existing key can be found in + the referenced backend, instructs Vault to generate a key within the backend. + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend type: boolean allowReplaceKey: - description: Controls the ability for Vault to replace through - generation or importing a key into the configured backend - even if a key is present, if set to false those operations - are forbidden if a key exists. Controls the ability for - Vault to replace through generation or importing a key - into the configured backend even if a key is present, - if set to false those operations are forbidden if a key - exists. + description: |- + Controls the ability for Vault to replace through + generation or importing a key into the configured backend even + if a key is present, if set to false those operations are forbidden + if a key exists. + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. type: boolean allowStoreKey: - description: Controls the ability for Vault to import a - key to the configured backend, if false, those operations - will be forbidden. Controls the ability for Vault to import - a key to the configured backend, if 'false', those operations - will be forbidden + description: |- + Controls the ability for Vault to import a key to the + configured backend, if false, those operations will be forbidden. + Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden type: boolean anyMount: - description: If true, allows usage from any mount point - within the namespace. Allow usage from any mount point - within the namespace if 'true' + description: |- + If true, allows usage from any mount point within the + namespace. + Allow usage from any mount point within the namespace if 'true' type: boolean clientId: - description: The client id for credentials to query the - Azure APIs. The client id for credentials to query the - Azure APIs + description: |- + The client id for credentials to query the Azure APIs. + The client id for credentials to query the Azure APIs type: string clientSecret: - description: The client secret for credentials to query - the Azure APIs. The client secret for credentials to query - the Azure APIs + description: |- + The client secret for credentials to query the Azure APIs. + The client secret for credentials to query the Azure APIs type: string environment: - description: The Azure Cloud environment API endpoints to - use. The Azure Cloud environment API endpoints to use + description: |- + The Azure Cloud environment API endpoints to use. + The Azure Cloud environment API endpoints to use type: string keyBits: - description: The size in bits for an RSA key. The size in - bits for an RSA key. This field is required when 'key_type' - is 'RSA' or when 'allow_generate_key' is true + description: |- + The size in bits for an RSA key. + The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true type: string keyName: - description: The Key Vault key to use for encryption and - decryption. The Key Vault key to use for encryption and - decryption + description: |- + The Key Vault key to use for encryption and decryption. + The Key Vault key to use for encryption and decryption type: string keyType: - description: The type of key to use. The type of key to - use + description: |- + The type of key to use. + The type of key to use type: string name: - description: A unique lowercase name that serves as identifying - the key. A unique lowercase name that serves as identifying - the key + description: |- + A unique lowercase name that serves as identifying the key. + A unique lowercase name that serves as identifying the key type: string resource: - description: The Azure Key Vault resource's DNS Suffix to - connect to. The Azure Key Vault resource's DNS Suffix - to connect to + description: |- + The Azure Key Vault resource's DNS Suffix to connect to. + The Azure Key Vault resource's DNS Suffix to connect to type: string tenantId: - description: The tenant id for the Azure Active Directory - organization. The tenant id for the Azure Active Directory - organization + description: |- + The tenant id for the Azure Active Directory organization. + The tenant id for the Azure Active Directory organization type: string vaultName: - description: The Key Vault vault to use for encryption and - decryption. The Key Vault vault to use the encryption - keys for encryption and decryption + description: |- + The Key Vault vault to use for encryption and decryption. + The Key Vault vault to use the encryption keys for encryption and decryption type: string type: object type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pkcs: description: Configuration block for PKCS Managed Keys items: properties: allowGenerateKey: - description: If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend. If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend + description: |- + If no existing key can be found in + the referenced backend, instructs Vault to generate a key within the backend. + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend type: boolean allowReplaceKey: - description: Controls the ability for Vault to replace through - generation or importing a key into the configured backend - even if a key is present, if set to false those operations - are forbidden if a key exists. Controls the ability for - Vault to replace through generation or importing a key - into the configured backend even if a key is present, - if set to false those operations are forbidden if a key - exists. + description: |- + Controls the ability for Vault to replace through + generation or importing a key into the configured backend even + if a key is present, if set to false those operations are forbidden + if a key exists. + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. type: boolean allowStoreKey: - description: Controls the ability for Vault to import a - key to the configured backend, if false, those operations - will be forbidden. Controls the ability for Vault to import - a key to the configured backend, if 'false', those operations - will be forbidden + description: |- + Controls the ability for Vault to import a key to the + configured backend, if false, those operations will be forbidden. + Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden type: boolean anyMount: - description: If true, allows usage from any mount point - within the namespace. Allow usage from any mount point - within the namespace if 'true' + description: |- + If true, allows usage from any mount point within the + namespace. + Allow usage from any mount point within the namespace if 'true' type: boolean curve: - description: The curve to use for an ECDSA key. Used when - key_type is ECDSA. Required if allow_generate_key is true. - Supplies the curve value when using the 'CKM_ECDSA' mechanism. - Required if 'allow_generate_key' is true + description: |- + The curve to use for an ECDSA key. Used when key_type + is ECDSA. Required if allow_generate_key is true. + Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true type: string forceRwSession: - description: Force all operations to open up a read-write - session to the HSM. Force all operations to open up a - read-write session to the HSM + description: |- + Force all operations to open up a read-write session to + the HSM. + Force all operations to open up a read-write session to the HSM type: string keyBits: - description: The size in bits for an RSA key. Supplies the - size in bits of the key when using 'CKM_RSA_PKCS_PSS', - 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. - Required if 'allow_generate_key' is true + description: |- + The size in bits for an RSA key. + Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true type: string keyId: - description: The id of a PKCS#11 key to use. The id of a - PKCS#11 key to use + description: |- + The id of a PKCS#11 key to use. + The id of a PKCS#11 key to use type: string keyLabel: - description: The label of the key to use. The label of the - key to use + description: |- + The label of the key to use. + The label of the key to use type: string library: - description: The name of the kms_library stanza to use from - Vault's config to lookup the local library path. The name - of the kms_library stanza to use from Vault's config to - lookup the local library path + description: |- + The name of the kms_library stanza to use from Vault's config + to lookup the local library path. + The name of the kms_library stanza to use from Vault's config to lookup the local library path type: string mechanism: - description: The encryption/decryption mechanism to use, - specified as a hexadecimal (prefixed by 0x) string. The - encryption/decryption mechanism to use, specified as a + description: |- + The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. + The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. type: string name: - description: A unique lowercase name that serves as identifying - the key. A unique lowercase name that serves as identifying - the key + description: |- + A unique lowercase name that serves as identifying the key. + A unique lowercase name that serves as identifying the key type: string pin: - description: The PIN for login. The PIN for login + description: |- + The PIN for login. + The PIN for login type: string slot: - description: The slot number to use, specified as a string - in a decimal format (e.g. 2305843009213693953). The slot - number to use, specified as a string in a decimal format - (e.g. '2305843009213693953') + description: |- + The slot number to use, specified as a string in a decimal format + (e.g. 2305843009213693953). + The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953') type: string tokenLabel: - description: The slot token label to use. The slot token - label to use + description: |- + The slot token label to use. + The slot token label to use type: string type: object type: array @@ -597,20 +611,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -623,9 +638,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -635,57 +651,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -695,17 +675,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -715,21 +697,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -744,21 +726,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -769,14 +752,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -801,74 +785,76 @@ spec: items: properties: accessKey: - description: The AWS access key to use. The AWS access key - to use + description: |- + The AWS access key to use. + The AWS access key to use type: string allowGenerateKey: - description: If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend. If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend + description: |- + If no existing key can be found in + the referenced backend, instructs Vault to generate a key within the backend. + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend type: boolean allowReplaceKey: - description: Controls the ability for Vault to replace through - generation or importing a key into the configured backend - even if a key is present, if set to false those operations - are forbidden if a key exists. Controls the ability for - Vault to replace through generation or importing a key - into the configured backend even if a key is present, - if set to false those operations are forbidden if a key - exists. + description: |- + Controls the ability for Vault to replace through + generation or importing a key into the configured backend even + if a key is present, if set to false those operations are forbidden + if a key exists. + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. type: boolean allowStoreKey: - description: Controls the ability for Vault to import a - key to the configured backend, if false, those operations - will be forbidden. Controls the ability for Vault to import - a key to the configured backend, if 'false', those operations - will be forbidden + description: |- + Controls the ability for Vault to import a key to the + configured backend, if false, those operations will be forbidden. + Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden type: boolean anyMount: - description: If true, allows usage from any mount point - within the namespace. Allow usage from any mount point - within the namespace if 'true' + description: |- + If true, allows usage from any mount point within the + namespace. + Allow usage from any mount point within the namespace if 'true' type: boolean curve: - description: The curve to use for an ECDSA key. Used when - key_type is ECDSA. Required if allow_generate_key is true. + description: |- The curve to use for an ECDSA key. Used when key_type - is 'ECDSA'. Required if 'allow_generate_key' is true + is ECDSA. Required if allow_generate_key is true. + The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true type: string endpoint: - description: Used to specify a custom AWS endpoint. Used - to specify a custom AWS endpoint + description: |- + Used to specify a custom AWS endpoint. + Used to specify a custom AWS endpoint type: string keyBits: - description: The size in bits for an RSA key. The size in - bits for an RSA key. This field is required when 'key_type' - is 'RSA' + description: |- + The size in bits for an RSA key. + The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' type: string keyType: - description: The type of key to use. The type of key to - use + description: |- + The type of key to use. + The type of key to use type: string kmsKey: - description: An identifier for the key. An identifier for - the key + description: |- + An identifier for the key. + An identifier for the key type: string name: - description: A unique lowercase name that serves as identifying - the key. A unique lowercase name that serves as identifying - the key + description: |- + A unique lowercase name that serves as identifying the key. + A unique lowercase name that serves as identifying the key type: string region: - description: The AWS region where the keys are stored (or - will be stored). The AWS region where the keys are stored - (or will be stored) + description: |- + The AWS region where the keys are stored (or will be stored). + The AWS region where the keys are stored (or will be stored) type: string secretKey: - description: The AWS access key to use. The AWS secret key - to use + description: |- + The AWS access key to use. + The AWS secret key to use type: string uuid: description: ID of the managed key read from Vault @@ -880,183 +866,185 @@ spec: items: properties: allowGenerateKey: - description: If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend. If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend + description: |- + If no existing key can be found in + the referenced backend, instructs Vault to generate a key within the backend. + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend type: boolean allowReplaceKey: - description: Controls the ability for Vault to replace through - generation or importing a key into the configured backend - even if a key is present, if set to false those operations - are forbidden if a key exists. Controls the ability for - Vault to replace through generation or importing a key - into the configured backend even if a key is present, - if set to false those operations are forbidden if a key - exists. + description: |- + Controls the ability for Vault to replace through + generation or importing a key into the configured backend even + if a key is present, if set to false those operations are forbidden + if a key exists. + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. type: boolean allowStoreKey: - description: Controls the ability for Vault to import a - key to the configured backend, if false, those operations - will be forbidden. Controls the ability for Vault to import - a key to the configured backend, if 'false', those operations - will be forbidden + description: |- + Controls the ability for Vault to import a key to the + configured backend, if false, those operations will be forbidden. + Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden type: boolean anyMount: - description: If true, allows usage from any mount point - within the namespace. Allow usage from any mount point - within the namespace if 'true' + description: |- + If true, allows usage from any mount point within the + namespace. + Allow usage from any mount point within the namespace if 'true' type: boolean clientId: - description: The client id for credentials to query the - Azure APIs. The client id for credentials to query the - Azure APIs + description: |- + The client id for credentials to query the Azure APIs. + The client id for credentials to query the Azure APIs type: string clientSecret: - description: The client secret for credentials to query - the Azure APIs. The client secret for credentials to query - the Azure APIs + description: |- + The client secret for credentials to query the Azure APIs. + The client secret for credentials to query the Azure APIs type: string environment: - description: The Azure Cloud environment API endpoints to - use. The Azure Cloud environment API endpoints to use + description: |- + The Azure Cloud environment API endpoints to use. + The Azure Cloud environment API endpoints to use type: string keyBits: - description: The size in bits for an RSA key. The size in - bits for an RSA key. This field is required when 'key_type' - is 'RSA' or when 'allow_generate_key' is true + description: |- + The size in bits for an RSA key. + The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true type: string keyName: - description: The Key Vault key to use for encryption and - decryption. The Key Vault key to use for encryption and - decryption + description: |- + The Key Vault key to use for encryption and decryption. + The Key Vault key to use for encryption and decryption type: string keyType: - description: The type of key to use. The type of key to - use + description: |- + The type of key to use. + The type of key to use type: string name: - description: A unique lowercase name that serves as identifying - the key. A unique lowercase name that serves as identifying - the key + description: |- + A unique lowercase name that serves as identifying the key. + A unique lowercase name that serves as identifying the key type: string resource: - description: The Azure Key Vault resource's DNS Suffix to - connect to. The Azure Key Vault resource's DNS Suffix - to connect to + description: |- + The Azure Key Vault resource's DNS Suffix to connect to. + The Azure Key Vault resource's DNS Suffix to connect to type: string tenantId: - description: The tenant id for the Azure Active Directory - organization. The tenant id for the Azure Active Directory - organization + description: |- + The tenant id for the Azure Active Directory organization. + The tenant id for the Azure Active Directory organization type: string uuid: description: ID of the managed key read from Vault type: string vaultName: - description: The Key Vault vault to use for encryption and - decryption. The Key Vault vault to use the encryption - keys for encryption and decryption + description: |- + The Key Vault vault to use for encryption and decryption. + The Key Vault vault to use the encryption keys for encryption and decryption type: string type: object type: array id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pkcs: description: Configuration block for PKCS Managed Keys items: properties: allowGenerateKey: - description: If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend. If no existing key can be found in the referenced - backend, instructs Vault to generate a key within the - backend + description: |- + If no existing key can be found in + the referenced backend, instructs Vault to generate a key within the backend. + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend type: boolean allowReplaceKey: - description: Controls the ability for Vault to replace through - generation or importing a key into the configured backend - even if a key is present, if set to false those operations - are forbidden if a key exists. Controls the ability for - Vault to replace through generation or importing a key - into the configured backend even if a key is present, - if set to false those operations are forbidden if a key - exists. + description: |- + Controls the ability for Vault to replace through + generation or importing a key into the configured backend even + if a key is present, if set to false those operations are forbidden + if a key exists. + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. type: boolean allowStoreKey: - description: Controls the ability for Vault to import a - key to the configured backend, if false, those operations - will be forbidden. Controls the ability for Vault to import - a key to the configured backend, if 'false', those operations - will be forbidden + description: |- + Controls the ability for Vault to import a key to the + configured backend, if false, those operations will be forbidden. + Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden type: boolean anyMount: - description: If true, allows usage from any mount point - within the namespace. Allow usage from any mount point - within the namespace if 'true' + description: |- + If true, allows usage from any mount point within the + namespace. + Allow usage from any mount point within the namespace if 'true' type: boolean curve: - description: The curve to use for an ECDSA key. Used when - key_type is ECDSA. Required if allow_generate_key is true. - Supplies the curve value when using the 'CKM_ECDSA' mechanism. - Required if 'allow_generate_key' is true + description: |- + The curve to use for an ECDSA key. Used when key_type + is ECDSA. Required if allow_generate_key is true. + Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true type: string forceRwSession: - description: Force all operations to open up a read-write - session to the HSM. Force all operations to open up a - read-write session to the HSM + description: |- + Force all operations to open up a read-write session to + the HSM. + Force all operations to open up a read-write session to the HSM type: string keyBits: - description: The size in bits for an RSA key. Supplies the - size in bits of the key when using 'CKM_RSA_PKCS_PSS', - 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. - Required if 'allow_generate_key' is true + description: |- + The size in bits for an RSA key. + Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true type: string keyId: - description: The id of a PKCS#11 key to use. The id of a - PKCS#11 key to use + description: |- + The id of a PKCS#11 key to use. + The id of a PKCS#11 key to use type: string keyLabel: - description: The label of the key to use. The label of the - key to use + description: |- + The label of the key to use. + The label of the key to use type: string library: - description: The name of the kms_library stanza to use from - Vault's config to lookup the local library path. The name - of the kms_library stanza to use from Vault's config to - lookup the local library path + description: |- + The name of the kms_library stanza to use from Vault's config + to lookup the local library path. + The name of the kms_library stanza to use from Vault's config to lookup the local library path type: string mechanism: - description: The encryption/decryption mechanism to use, - specified as a hexadecimal (prefixed by 0x) string. The - encryption/decryption mechanism to use, specified as a + description: |- + The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. + The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. type: string name: - description: A unique lowercase name that serves as identifying - the key. A unique lowercase name that serves as identifying - the key + description: |- + A unique lowercase name that serves as identifying the key. + A unique lowercase name that serves as identifying the key type: string pin: - description: The PIN for login. The PIN for login + description: |- + The PIN for login. + The PIN for login type: string slot: - description: The slot number to use, specified as a string - in a decimal format (e.g. 2305843009213693953). The slot - number to use, specified as a string in a decimal format - (e.g. '2305843009213693953') + description: |- + The slot number to use, specified as a string in a decimal format + (e.g. 2305843009213693953). + The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953') type: string tokenLabel: - description: The slot token label to use. The slot token - label to use + description: |- + The slot token label to use. + The slot token label to use type: string uuid: description: ID of the managed key read from Vault @@ -1070,14 +1058,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -1087,8 +1084,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -1097,6 +1095,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/mfa.vault.upbound.io_duoes.yaml b/package/crds/mfa.vault.upbound.io_duoes.yaml index 033fc9e1..d84fdf17 100644 --- a/package/crds/mfa.vault.upbound.io_duoes.yaml +++ b/package/crds/mfa.vault.upbound.io_duoes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: duoes.mfa.vault.upbound.io spec: group: mfa.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: configuration properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,10 +74,14 @@ spec: forProvider: properties: apiHostname: - description: API hostname for Duo. API hostname for Duo. + description: |- + API hostname for Duo. + API hostname for Duo. type: string integrationKeySecretRef: - description: Integration key for Duo. Integration key for Duo. + description: |- + Integration key for Duo. + Integration key for Duo. properties: key: description: The key to select. @@ -88,29 +98,106 @@ spec: - namespace type: object mountAccessor: - description: The mount to tie this method to for use in automatic - mappings. The mapping will use the Name field of Aliases associated - with this mount as the username in the mapping. The mount to - tie this method to for use in automatic mappings. The mapping - will use the Name field of Aliases associated with this mount - as the username in the mapping. + description: |- + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. type: string + mountAccessorRef: + description: Reference to a Backend in auth to populate mountAccessor. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountAccessorSelector: + description: Selector for a Backend in auth to populate mountAccessor. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pushInfo: - description: Push information for Duo. Push information for Duo. + description: |- + Push information for Duo. + Push information for Duo. type: string secretKeySecretRef: - description: Secret key for Duo. Secret key for Duo. + description: |- + Secret key for Duo. + Secret key for Duo. properties: key: description: The key to select. @@ -127,78 +214,191 @@ spec: - namespace type: object usernameFormat: - description: 'A format string for mapping Identity names to MFA - method names. Values to substitute should be placed in {{}}. - For example, "{{alias.name}}@example.com". If blank, the Alias''s - Name field will be used as-is. Currently-supported mappings: - A format string for mapping Identity names to MFA method names. - Values to substitute should be placed in `{{}}`.' + description: |- + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: apiHostname: - description: API hostname for Duo. API hostname for Duo. + description: |- + API hostname for Duo. + API hostname for Duo. type: string + integrationKeySecretRef: + description: |- + Integration key for Duo. + Integration key for Duo. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object mountAccessor: - description: The mount to tie this method to for use in automatic - mappings. The mapping will use the Name field of Aliases associated - with this mount as the username in the mapping. The mount to - tie this method to for use in automatic mappings. The mapping - will use the Name field of Aliases associated with this mount - as the username in the mapping. + description: |- + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. type: string + mountAccessorRef: + description: Reference to a Backend in auth to populate mountAccessor. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountAccessorSelector: + description: Selector for a Backend in auth to populate mountAccessor. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pushInfo: - description: Push information for Duo. Push information for Duo. + description: |- + Push information for Duo. + Push information for Duo. type: string + secretKeySecretRef: + description: |- + Secret key for Duo. + Secret key for Duo. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object usernameFormat: - description: 'A format string for mapping Identity names to MFA - method names. Values to substitute should be placed in {{}}. - For example, "{{alias.name}}@example.com". If blank, the Alias''s - Name field will be used as-is. Currently-supported mappings: - A format string for mapping Identity names to MFA method names. - Values to substitute should be placed in `{{}}`.' + description: |- + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. type: string + required: + - integrationKeySecretRef + - secretKeySecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -211,45 +411,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -259,21 +424,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -283,17 +448,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -303,21 +470,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -332,21 +499,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -357,14 +525,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -380,22 +549,18 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: apiHostname is a required parameter + - message: spec.forProvider.apiHostname is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.apiHostname) - || has(self.initProvider.apiHostname)' - - message: integrationKeySecretRef is a required parameter + || (has(self.initProvider) && has(self.initProvider.apiHostname))' + - message: spec.forProvider.integrationKeySecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.integrationKeySecretRef)' - - message: mountAccessor is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.mountAccessor) - || has(self.initProvider.mountAccessor)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: secretKeySecretRef is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.secretKeySecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.secretKeySecretRef)' status: @@ -404,39 +569,39 @@ spec: atProvider: properties: apiHostname: - description: API hostname for Duo. API hostname for Duo. + description: |- + API hostname for Duo. + API hostname for Duo. type: string id: type: string mountAccessor: - description: The mount to tie this method to for use in automatic - mappings. The mapping will use the Name field of Aliases associated - with this mount as the username in the mapping. The mount to - tie this method to for use in automatic mappings. The mapping - will use the Name field of Aliases associated with this mount - as the username in the mapping. + description: |- + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. type: string name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pushInfo: - description: Push information for Duo. Push information for Duo. + description: |- + Push information for Duo. + Push information for Duo. type: string usernameFormat: - description: 'A format string for mapping Identity names to MFA - method names. Values to substitute should be placed in {{}}. - For example, "{{alias.name}}@example.com". If blank, the Alias''s - Name field will be used as-is. Currently-supported mappings: - A format string for mapping Identity names to MFA method names. - Values to substitute should be placed in `{{}}`.' + description: |- + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. type: string type: object conditions: @@ -445,14 +610,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -462,8 +636,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -472,6 +647,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/mfa.vault.upbound.io_oktas.yaml b/package/crds/mfa.vault.upbound.io_oktas.yaml index a02ac9c2..d40b4ee2 100644 --- a/package/crds/mfa.vault.upbound.io_oktas.yaml +++ b/package/crds/mfa.vault.upbound.io_oktas.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: oktas.mfa.vault.upbound.io spec: group: mfa.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: configuration properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,7 +74,9 @@ spec: forProvider: properties: apiTokenSecretRef: - description: Okta API key. Okta API key. + description: |- + Okta API key. + Okta API key. properties: key: description: The key to select. @@ -85,119 +93,293 @@ spec: - namespace type: object baseUrl: - description: If set, will be used as the base domain for API requests. - Examples are okta.com, oktapreview.com, and okta-emea.com. If - set, will be used as the base domain for API requests. + description: |- + If set, will be used as the base domain for API requests. Examples are okta.com, + oktapreview.com, and okta-emea.com. + If set, will be used as the base domain for API requests. type: string mountAccessor: - description: The mount to tie this method to for use in automatic - mappings. The mapping will use the Name field of Aliases associated - with this mount as the username in the mapping. The mount to - tie this method to for use in automatic mappings. The mapping - will use the Name field of Aliases associated with this mount - as the username in the mapping. + description: |- + The mount to tie this method to for use in automatic mappings. + The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. type: string + mountAccessorRef: + description: Reference to a Backend in auth to populate mountAccessor. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountAccessorSelector: + description: Selector for a Backend in auth to populate mountAccessor. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string orgName: - description: Name of the organization to be used in the Okta API. + description: |- + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. type: string primaryEmail: - description: If set to true, the username will only match the - primary email for the account. If set to true, the username - will only match the primary email for the account. + description: |- + If set to true, the username will only match the + primary email for the account. + If set to true, the username will only match the primary email for the account. type: boolean usernameFormat: - description: 'A format string for mapping Identity names to MFA - method names. Values to substitute should be placed in {{}}. - For example, "{{alias.name}}@example.com". If blank, the Alias''s - Name field will be used as-is. Currently-supported mappings: + description: |- A format string for mapping Identity names to MFA method names. - Values to substitute should be placed in `{{}}`.' + Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". + If blank, the Alias's Name field will be used as-is. Currently-supported mappings: + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + apiTokenSecretRef: + description: |- + Okta API key. + Okta API key. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object baseUrl: - description: If set, will be used as the base domain for API requests. - Examples are okta.com, oktapreview.com, and okta-emea.com. If - set, will be used as the base domain for API requests. + description: |- + If set, will be used as the base domain for API requests. Examples are okta.com, + oktapreview.com, and okta-emea.com. + If set, will be used as the base domain for API requests. type: string mountAccessor: - description: The mount to tie this method to for use in automatic - mappings. The mapping will use the Name field of Aliases associated - with this mount as the username in the mapping. The mount to - tie this method to for use in automatic mappings. The mapping - will use the Name field of Aliases associated with this mount - as the username in the mapping. + description: |- + The mount to tie this method to for use in automatic mappings. + The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. type: string + mountAccessorRef: + description: Reference to a Backend in auth to populate mountAccessor. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountAccessorSelector: + description: Selector for a Backend in auth to populate mountAccessor. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string orgName: - description: Name of the organization to be used in the Okta API. + description: |- + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. type: string primaryEmail: - description: If set to true, the username will only match the - primary email for the account. If set to true, the username - will only match the primary email for the account. + description: |- + If set to true, the username will only match the + primary email for the account. + If set to true, the username will only match the primary email for the account. type: boolean usernameFormat: - description: 'A format string for mapping Identity names to MFA - method names. Values to substitute should be placed in {{}}. - For example, "{{alias.name}}@example.com". If blank, the Alias''s - Name field will be used as-is. Currently-supported mappings: + description: |- A format string for mapping Identity names to MFA method names. - Values to substitute should be placed in `{{}}`.' + Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". + If blank, the Alias's Name field will be used as-is. Currently-supported mappings: + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. type: string + required: + - apiTokenSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -210,45 +392,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -258,21 +405,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -282,17 +429,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -302,21 +451,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -331,21 +480,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -356,14 +506,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -379,68 +530,66 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: apiTokenSecretRef is a required parameter + - message: spec.forProvider.apiTokenSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.apiTokenSecretRef)' - - message: mountAccessor is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.mountAccessor) - || has(self.initProvider.mountAccessor)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: orgName is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.orgName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.orgName) - || has(self.initProvider.orgName)' + || (has(self.initProvider) && has(self.initProvider.orgName))' status: description: OktaStatus defines the observed state of Okta. properties: atProvider: properties: baseUrl: - description: If set, will be used as the base domain for API requests. - Examples are okta.com, oktapreview.com, and okta-emea.com. If - set, will be used as the base domain for API requests. + description: |- + If set, will be used as the base domain for API requests. Examples are okta.com, + oktapreview.com, and okta-emea.com. + If set, will be used as the base domain for API requests. type: string id: type: string mountAccessor: - description: The mount to tie this method to for use in automatic - mappings. The mapping will use the Name field of Aliases associated - with this mount as the username in the mapping. The mount to - tie this method to for use in automatic mappings. The mapping - will use the Name field of Aliases associated with this mount - as the username in the mapping. + description: |- + The mount to tie this method to for use in automatic mappings. + The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. type: string name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string orgName: - description: Name of the organization to be used in the Okta API. + description: |- + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. type: string primaryEmail: - description: If set to true, the username will only match the - primary email for the account. If set to true, the username - will only match the primary email for the account. + description: |- + If set to true, the username will only match the + primary email for the account. + If set to true, the username will only match the primary email for the account. type: boolean usernameFormat: - description: 'A format string for mapping Identity names to MFA - method names. Values to substitute should be placed in {{}}. - For example, "{{alias.name}}@example.com". If blank, the Alias''s - Name field will be used as-is. Currently-supported mappings: + description: |- A format string for mapping Identity names to MFA method names. - Values to substitute should be placed in `{{}}`.' + Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". + If blank, the Alias's Name field will be used as-is. Currently-supported mappings: + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. type: string type: object conditions: @@ -449,14 +598,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -466,8 +624,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -476,6 +635,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/mfa.vault.upbound.io_pingids.yaml b/package/crds/mfa.vault.upbound.io_pingids.yaml index e34f3731..a9a78311 100644 --- a/package/crds/mfa.vault.upbound.io_pingids.yaml +++ b/package/crds/mfa.vault.upbound.io_pingids.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: pingids.mfa.vault.upbound.io spec: group: mfa.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: method configuration properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,101 +74,250 @@ spec: forProvider: properties: mountAccessor: - description: The mount to tie this method to for use in automatic - mappings. The mapping will use the Name field of Aliases associated - with this mount as the username in the mapping. The mount to - tie this method to for use in automatic mappings. The mapping - will use the Name field of Aliases associated with this mount - as the username in the mapping. + description: |- + The mount to tie this method to for use in automatic mappings. + The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. type: string + mountAccessorRef: + description: Reference to a Backend in auth to populate mountAccessor. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountAccessorSelector: + description: Selector for a Backend in auth to populate mountAccessor. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string settingsFileBase64: - description: A base64-encoded third-party settings file retrieved - from PingID's configuration page. A base64-encoded third-party - settings file retrieved from PingID's configuration page. + description: |- + A base64-encoded third-party settings file retrieved + from PingID's configuration page. + A base64-encoded third-party settings file retrieved from PingID's configuration page. type: string usernameFormat: - description: 'A format string for mapping Identity names to MFA - method names. Values to substitute should be placed in {{}}. - For example, "{{alias.name}}@example.com". If blank, the Alias''s - Name field will be used as-is. Currently-supported mappings: + description: |- A format string for mapping Identity names to MFA method names. - Values to substitute should be placed in `{{}}`.' + Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". + If blank, the Alias's Name field will be used as-is. Currently-supported mappings: + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: mountAccessor: - description: The mount to tie this method to for use in automatic - mappings. The mapping will use the Name field of Aliases associated - with this mount as the username in the mapping. The mount to - tie this method to for use in automatic mappings. The mapping - will use the Name field of Aliases associated with this mount - as the username in the mapping. + description: |- + The mount to tie this method to for use in automatic mappings. + The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. type: string + mountAccessorRef: + description: Reference to a Backend in auth to populate mountAccessor. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountAccessorSelector: + description: Selector for a Backend in auth to populate mountAccessor. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string settingsFileBase64: - description: A base64-encoded third-party settings file retrieved - from PingID's configuration page. A base64-encoded third-party - settings file retrieved from PingID's configuration page. + description: |- + A base64-encoded third-party settings file retrieved + from PingID's configuration page. + A base64-encoded third-party settings file retrieved from PingID's configuration page. type: string usernameFormat: - description: 'A format string for mapping Identity names to MFA - method names. Values to substitute should be placed in {{}}. - For example, "{{alias.name}}@example.com". If blank, the Alias''s - Name field will be used as-is. Currently-supported mappings: + description: |- A format string for mapping Identity names to MFA method names. - Values to substitute should be placed in `{{}}`.' + Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". + If blank, the Alias's Name field will be used as-is. Currently-supported mappings: + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -175,9 +330,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -187,57 +343,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -247,17 +367,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -267,21 +389,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -296,21 +418,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -321,14 +444,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -344,86 +468,88 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: mountAccessor is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.mountAccessor) - || has(self.initProvider.mountAccessor)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: settingsFileBase64 is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.settingsFileBase64 is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.settingsFileBase64) - || has(self.initProvider.settingsFileBase64)' + || (has(self.initProvider) && has(self.initProvider.settingsFileBase64))' status: description: PingidStatus defines the observed state of Pingid. properties: atProvider: properties: adminUrl: - description: (string) – Admin URL computed by Vault Admin URL - computed by Vault. + description: |- + (string) – Admin URL computed by Vault + Admin URL computed by Vault. type: string authenticatorUrl: - description: (string) – Authenticator URL computed by Vault Authenticator - URL computed by Vault. + description: |- + (string) – Authenticator URL computed by Vault + Authenticator URL computed by Vault. type: string id: description: (string) – ID computed by Vault type: string idpUrl: - description: (string) – IDP URL computed by Vault IDP URL computed - by Vault. + description: |- + (string) – IDP URL computed by Vault + IDP URL computed by Vault. type: string mountAccessor: - description: The mount to tie this method to for use in automatic - mappings. The mapping will use the Name field of Aliases associated - with this mount as the username in the mapping. The mount to - tie this method to for use in automatic mappings. The mapping - will use the Name field of Aliases associated with this mount - as the username in the mapping. + description: |- + The mount to tie this method to for use in automatic mappings. + The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. type: string name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string namespaceId: - description: (string) – Namespace ID computed by Vault Namespace - ID computed by Vault. + description: |- + (string) – Namespace ID computed by Vault + Namespace ID computed by Vault. type: string orgAlias: - description: (string) – Org Alias computed by Vault Org Alias - computed by Vault. + description: |- + (string) – Org Alias computed by Vault + Org Alias computed by Vault. type: string settingsFileBase64: - description: A base64-encoded third-party settings file retrieved - from PingID's configuration page. A base64-encoded third-party - settings file retrieved from PingID's configuration page. + description: |- + A base64-encoded third-party settings file retrieved + from PingID's configuration page. + A base64-encoded third-party settings file retrieved from PingID's configuration page. type: string type: - description: (string) – Type of configuration computed by Vault + description: |- + (string) – Type of configuration computed by Vault Type of configuration computed by Vault. type: string useSignature: - description: (string) – If set to true, enables use of PingID - signature. Computed by Vault If set, enables use of PingID signature. - Computed by Vault + description: |- + (string) – If set to true, enables use of PingID signature. Computed by Vault + If set, enables use of PingID signature. Computed by Vault type: boolean usernameFormat: - description: 'A format string for mapping Identity names to MFA - method names. Values to substitute should be placed in {{}}. - For example, "{{alias.name}}@example.com". If blank, the Alias''s - Name field will be used as-is. Currently-supported mappings: + description: |- A format string for mapping Identity names to MFA method names. - Values to substitute should be placed in `{{}}`.' + Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". + If blank, the Alias's Name field will be used as-is. Currently-supported mappings: + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. type: string type: object conditions: @@ -432,14 +558,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -449,8 +584,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -459,6 +595,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/mfa.vault.upbound.io_totps.yaml b/package/crds/mfa.vault.upbound.io_totps.yaml index f71c442e..6db741f7 100644 --- a/package/crds/mfa.vault.upbound.io_totps.yaml +++ b/package/crds/mfa.vault.upbound.io_totps.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: totps.mfa.vault.upbound.io spec: group: mfa.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: configuration properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,127 +74,140 @@ spec: forProvider: properties: algorithm: - description: Specifies the hashing algorithm used to generate - the TOTP code. Options include SHA1, SHA256 and SHA512 Specifies - the hashing algorithm used to generate the TOTP code. Options - include 'SHA1', 'SHA256' and 'SHA512'. + description: |- + Specifies the hashing algorithm used to generate the TOTP code. + Options include SHA1, SHA256 and SHA512 + Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'. type: string digits: - description: The number of digits in the generated TOTP token. - This value can either be 6 or 8. The number of digits in the - generated TOTP token. This value can either be 6 or 8. + description: |- + The number of digits in the generated TOTP token. + This value can either be 6 or 8. + The number of digits in the generated TOTP token. This value can either be 6 or 8. type: number issuer: - description: The name of the key's issuing organization. The name - of the key's issuing organization. + description: |- + The name of the key's issuing organization. + The name of the key's issuing organization. type: string keySize: - description: Specifies the size in bytes of the generated key. + description: |- + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. type: number name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string period: - description: The length of time used to generate a counter for - the TOTP token calculation. The length of time used to generate - a counter for the TOTP token calculation. + description: |- + The length of time used to generate a counter for the TOTP token calculation. + The length of time used to generate a counter for the TOTP token calculation. type: number qrSize: - description: The pixel size of the generated square QR code. The - pixel size of the generated square QR code. + description: |- + The pixel size of the generated square QR code. + The pixel size of the generated square QR code. type: number skew: - description: The number of delay periods that are allowed when - validating a TOTP token. This value can either be 0 or 1. The - number of delay periods that are allowed when validating a TOTP - token. This value can either be 0 or 1. + description: |- + The number of delay periods that are allowed when validating a TOTP token. + This value can either be 0 or 1. + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: algorithm: - description: Specifies the hashing algorithm used to generate - the TOTP code. Options include SHA1, SHA256 and SHA512 Specifies - the hashing algorithm used to generate the TOTP code. Options - include 'SHA1', 'SHA256' and 'SHA512'. + description: |- + Specifies the hashing algorithm used to generate the TOTP code. + Options include SHA1, SHA256 and SHA512 + Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'. type: string digits: - description: The number of digits in the generated TOTP token. - This value can either be 6 or 8. The number of digits in the - generated TOTP token. This value can either be 6 or 8. + description: |- + The number of digits in the generated TOTP token. + This value can either be 6 or 8. + The number of digits in the generated TOTP token. This value can either be 6 or 8. type: number issuer: - description: The name of the key's issuing organization. The name - of the key's issuing organization. + description: |- + The name of the key's issuing organization. + The name of the key's issuing organization. type: string keySize: - description: Specifies the size in bytes of the generated key. + description: |- + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. type: number name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string period: - description: The length of time used to generate a counter for - the TOTP token calculation. The length of time used to generate - a counter for the TOTP token calculation. + description: |- + The length of time used to generate a counter for the TOTP token calculation. + The length of time used to generate a counter for the TOTP token calculation. type: number qrSize: - description: The pixel size of the generated square QR code. The - pixel size of the generated square QR code. + description: |- + The pixel size of the generated square QR code. + The pixel size of the generated square QR code. type: number skew: - description: The number of delay periods that are allowed when - validating a TOTP token. This value can either be 0 or 1. The - number of delay periods that are allowed when validating a TOTP - token. This value can either be 0 or 1. + description: |- + The number of delay periods that are allowed when validating a TOTP token. + This value can either be 0 or 1. + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -201,9 +220,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -213,57 +233,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -273,17 +257,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -293,21 +279,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -322,21 +308,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -347,14 +334,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -370,65 +358,71 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: issuer is a required parameter + - message: spec.forProvider.issuer is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.issuer) - || has(self.initProvider.issuer)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.issuer))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: TotpStatus defines the observed state of Totp. properties: atProvider: properties: algorithm: - description: Specifies the hashing algorithm used to generate - the TOTP code. Options include SHA1, SHA256 and SHA512 Specifies - the hashing algorithm used to generate the TOTP code. Options - include 'SHA1', 'SHA256' and 'SHA512'. + description: |- + Specifies the hashing algorithm used to generate the TOTP code. + Options include SHA1, SHA256 and SHA512 + Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'. type: string digits: - description: The number of digits in the generated TOTP token. - This value can either be 6 or 8. The number of digits in the - generated TOTP token. This value can either be 6 or 8. + description: |- + The number of digits in the generated TOTP token. + This value can either be 6 or 8. + The number of digits in the generated TOTP token. This value can either be 6 or 8. type: number id: type: string issuer: - description: The name of the key's issuing organization. The name - of the key's issuing organization. + description: |- + The name of the key's issuing organization. + The name of the key's issuing organization. type: string keySize: - description: Specifies the size in bytes of the generated key. + description: |- + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. type: number name: - description: '(string: ) – Name of the MFA method. Name - of the MFA method.' + description: |- + (string: ) – Name of the MFA method. + Name of the MFA method. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string period: - description: The length of time used to generate a counter for - the TOTP token calculation. The length of time used to generate - a counter for the TOTP token calculation. + description: |- + The length of time used to generate a counter for the TOTP token calculation. + The length of time used to generate a counter for the TOTP token calculation. type: number qrSize: - description: The pixel size of the generated square QR code. The - pixel size of the generated square QR code. + description: |- + The pixel size of the generated square QR code. + The pixel size of the generated square QR code. type: number skew: - description: The number of delay periods that are allowed when - validating a TOTP token. This value can either be 0 or 1. The - number of delay periods that are allowed when validating a TOTP - token. This value can either be 0 or 1. + description: |- + The number of delay periods that are allowed when validating a TOTP token. + This value can either be 0 or 1. + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. type: number type: object conditions: @@ -437,14 +431,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -454,8 +457,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -464,6 +468,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/mongodbatlas.vault.upbound.io_secretbackends.yaml b/package/crds/mongodbatlas.vault.upbound.io_secretbackends.yaml index 396e4c54..48d79bbf 100644 --- a/package/crds/mongodbatlas.vault.upbound.io_secretbackends.yaml +++ b/package/crds/mongodbatlas.vault.upbound.io_secretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackends.mongodbatlas.vault.upbound.io spec: group: mongodbatlas.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: a MongoDB Atlas secret backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,79 +74,232 @@ spec: forProvider: properties: mount: - description: Path where the MongoDB Atlas Secrets Engine is mounted. + description: |- + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted type: string + mountRef: + description: Reference to a Mount in vault to populate mount. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountSelector: + description: Selector for a Mount in vault to populate mount. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string privateKey: - description: Specifies the Private API Key used to authenticate - with the MongoDB Atlas API. The Private Programmatic API Key - used to connect with MongoDB Atlas API + description: |- + Specifies the Private API Key used to authenticate with the MongoDB Atlas API. + The Private Programmatic API Key used to connect with MongoDB Atlas API type: string publicKey: - description: Specifies the Public API Key used to authenticate - with the MongoDB Atlas API. The Public Programmatic API Key - used to authenticate with the MongoDB Atlas API + description: |- + Specifies the Public API Key used to authenticate with the MongoDB Atlas API. + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: mount: - description: Path where the MongoDB Atlas Secrets Engine is mounted. + description: |- + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted type: string + mountRef: + description: Reference to a Mount in vault to populate mount. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountSelector: + description: Selector for a Mount in vault to populate mount. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string privateKey: - description: Specifies the Private API Key used to authenticate - with the MongoDB Atlas API. The Private Programmatic API Key - used to connect with MongoDB Atlas API + description: |- + Specifies the Private API Key used to authenticate with the MongoDB Atlas API. + The Private Programmatic API Key used to connect with MongoDB Atlas API type: string publicKey: - description: Specifies the Public API Key used to authenticate - with the MongoDB Atlas API. The Public Programmatic API Key - used to authenticate with the MongoDB Atlas API + description: |- + Specifies the Public API Key used to authenticate with the MongoDB Atlas API. + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -153,9 +312,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -165,57 +325,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -225,17 +349,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -245,21 +371,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -274,21 +400,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -299,14 +426,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -322,18 +450,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: mount is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.mount) - || has(self.initProvider.mount)' - - message: privateKey is a required parameter + - message: spec.forProvider.privateKey is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.privateKey) - || has(self.initProvider.privateKey)' - - message: publicKey is a required parameter + || (has(self.initProvider) && has(self.initProvider.privateKey))' + - message: spec.forProvider.publicKey is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.publicKey) - || has(self.initProvider.publicKey)' + || (has(self.initProvider) && has(self.initProvider.publicKey))' status: description: SecretBackendStatus defines the observed state of SecretBackend. properties: @@ -342,28 +466,30 @@ spec: id: type: string mount: - description: Path where the MongoDB Atlas Secrets Engine is mounted. + description: |- + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: description: Path where MongoDB Atlas configuration is located type: string privateKey: - description: Specifies the Private API Key used to authenticate - with the MongoDB Atlas API. The Private Programmatic API Key - used to connect with MongoDB Atlas API + description: |- + Specifies the Private API Key used to authenticate with the MongoDB Atlas API. + The Private Programmatic API Key used to connect with MongoDB Atlas API type: string publicKey: - description: Specifies the Public API Key used to authenticate - with the MongoDB Atlas API. The Public Programmatic API Key - used to authenticate with the MongoDB Atlas API + description: |- + Specifies the Public API Key used to authenticate with the MongoDB Atlas API. + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API type: string type: object conditions: @@ -372,14 +498,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -389,8 +524,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -399,6 +535,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml b/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml index 38711200..6773f3b8 100644 --- a/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml +++ b/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretroles.mongodbatlas.vault.upbound.io spec: group: mongodbatlas.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: for the MongoDB Atlas Secret Engine in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,157 +74,322 @@ spec: forProvider: properties: cidrBlocks: - description: Whitelist entry in CIDR notation to be added for - the API key. Whitelist entry in CIDR notation to be added for - the API key + description: |- + Whitelist entry in CIDR notation to be added for the API key. + Whitelist entry in CIDR notation to be added for the API key items: type: string type: array ipAddresses: - description: IP address to be added to the whitelist for the API - key. IP address to be added to the whitelist for the API key + description: |- + IP address to be added to the whitelist for the API key. + IP address to be added to the whitelist for the API key items: type: string type: array maxTtl: - description: The maximum allowed lifetime of credentials issued - using this role. The maximum allowed lifetime of credentials - issued using this role + description: |- + The maximum allowed lifetime of credentials issued using this role. + The maximum allowed lifetime of credentials issued using this role type: string mount: - description: Path where the MongoDB Atlas Secrets Engine is mounted. + description: |- + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted type: string + mountRef: + description: Reference to a Mount in vault to populate mount. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountSelector: + description: Selector for a Mount in vault to populate mount. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: The name of the role. Name of the role + description: |- + The name of the role. + Name of the role type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organizationId: - description: Unique identifier for the organization to which the - target API Key belongs. Required if project_id is not set. ID - for the organization to which the target API Key belongs + description: |- + Unique identifier for the organization to which the target API Key belongs. + Required if project_id is not set. + ID for the organization to which the target API Key belongs type: string projectId: - description: Unique identifier for the project to which the target - API Key belongs. Required if organization_id is not set. ID - for the project to which the target API Key belongs + description: |- + Unique identifier for the project to which the target API Key belongs. + Required if organization_id is not set. + ID for the project to which the target API Key belongs type: string projectRoles: - description: Roles assigned when an org API key is assigned to - a project API key. Roles assigned when an org API key is assigned - to a project API key + description: |- + Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY. + Roles assigned when an org API key is assigned to a project API key items: type: string type: array roles: - description: List of roles that the API Key needs to have. List - of roles that the API Key needs to have + description: |- + List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY. + List of roles that the API Key needs to have items: type: string type: array ttl: - description: Duration in seconds after which the issued credential - should expire. Duration in seconds after which the issued credential - should expire + description: |- + Duration in seconds after which the issued credential should expire. + Duration in seconds after which the issued credential should expire type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: cidrBlocks: - description: Whitelist entry in CIDR notation to be added for - the API key. Whitelist entry in CIDR notation to be added for - the API key + description: |- + Whitelist entry in CIDR notation to be added for the API key. + Whitelist entry in CIDR notation to be added for the API key items: type: string type: array ipAddresses: - description: IP address to be added to the whitelist for the API - key. IP address to be added to the whitelist for the API key + description: |- + IP address to be added to the whitelist for the API key. + IP address to be added to the whitelist for the API key items: type: string type: array maxTtl: - description: The maximum allowed lifetime of credentials issued - using this role. The maximum allowed lifetime of credentials - issued using this role + description: |- + The maximum allowed lifetime of credentials issued using this role. + The maximum allowed lifetime of credentials issued using this role type: string mount: - description: Path where the MongoDB Atlas Secrets Engine is mounted. + description: |- + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted type: string + mountRef: + description: Reference to a Mount in vault to populate mount. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + mountSelector: + description: Selector for a Mount in vault to populate mount. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: The name of the role. Name of the role + description: |- + The name of the role. + Name of the role type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organizationId: - description: Unique identifier for the organization to which the - target API Key belongs. Required if project_id is not set. ID - for the organization to which the target API Key belongs + description: |- + Unique identifier for the organization to which the target API Key belongs. + Required if project_id is not set. + ID for the organization to which the target API Key belongs type: string projectId: - description: Unique identifier for the project to which the target - API Key belongs. Required if organization_id is not set. ID - for the project to which the target API Key belongs + description: |- + Unique identifier for the project to which the target API Key belongs. + Required if organization_id is not set. + ID for the project to which the target API Key belongs type: string projectRoles: - description: Roles assigned when an org API key is assigned to - a project API key. Roles assigned when an org API key is assigned - to a project API key + description: |- + Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY. + Roles assigned when an org API key is assigned to a project API key items: type: string type: array roles: - description: List of roles that the API Key needs to have. List - of roles that the API Key needs to have + description: |- + List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY. + List of roles that the API Key needs to have items: type: string type: array ttl: - description: Duration in seconds after which the issued credential - should expire. Duration in seconds after which the issued credential - should expire + description: |- + Duration in seconds after which the issued credential should expire. + Duration in seconds after which the issued credential should expire type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -231,9 +402,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -243,57 +415,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -303,17 +439,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -323,21 +461,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -352,21 +490,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -377,14 +516,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -400,84 +540,88 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: mount is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.mount) - || has(self.initProvider.mount)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: roles is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.roles is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.roles) - || has(self.initProvider.roles)' + || (has(self.initProvider) && has(self.initProvider.roles))' status: description: SecretRoleStatus defines the observed state of SecretRole. properties: atProvider: properties: cidrBlocks: - description: Whitelist entry in CIDR notation to be added for - the API key. Whitelist entry in CIDR notation to be added for - the API key + description: |- + Whitelist entry in CIDR notation to be added for the API key. + Whitelist entry in CIDR notation to be added for the API key items: type: string type: array id: type: string ipAddresses: - description: IP address to be added to the whitelist for the API - key. IP address to be added to the whitelist for the API key + description: |- + IP address to be added to the whitelist for the API key. + IP address to be added to the whitelist for the API key items: type: string type: array maxTtl: - description: The maximum allowed lifetime of credentials issued - using this role. The maximum allowed lifetime of credentials - issued using this role + description: |- + The maximum allowed lifetime of credentials issued using this role. + The maximum allowed lifetime of credentials issued using this role type: string mount: - description: Path where the MongoDB Atlas Secrets Engine is mounted. + description: |- + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted type: string name: - description: The name of the role. Name of the role + description: |- + The name of the role. + Name of the role type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organizationId: - description: Unique identifier for the organization to which the - target API Key belongs. Required if project_id is not set. ID - for the organization to which the target API Key belongs + description: |- + Unique identifier for the organization to which the target API Key belongs. + Required if project_id is not set. + ID for the organization to which the target API Key belongs type: string projectId: - description: Unique identifier for the project to which the target - API Key belongs. Required if organization_id is not set. ID - for the project to which the target API Key belongs + description: |- + Unique identifier for the project to which the target API Key belongs. + Required if organization_id is not set. + ID for the project to which the target API Key belongs type: string projectRoles: - description: Roles assigned when an org API key is assigned to - a project API key. Roles assigned when an org API key is assigned - to a project API key + description: |- + Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY. + Roles assigned when an org API key is assigned to a project API key items: type: string type: array roles: - description: List of roles that the API Key needs to have. List - of roles that the API Key needs to have + description: |- + List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY. + List of roles that the API Key needs to have items: type: string type: array ttl: - description: Duration in seconds after which the issued credential - should expire. Duration in seconds after which the issued credential - should expire + description: |- + Duration in seconds after which the issued credential should expire. + Duration in seconds after which the issued credential should expire type: string type: object conditions: @@ -486,14 +630,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -503,8 +656,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -513,6 +667,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/nomad.vault.upbound.io_secretbackends.yaml b/package/crds/nomad.vault.upbound.io_secretbackends.yaml index 65373628..e34f83ae 100644 --- a/package/crds/nomad.vault.upbound.io_secretbackends.yaml +++ b/package/crds/nomad.vault.upbound.io_secretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackends.nomad.vault.upbound.io spec: group: nomad.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: a Nomad secret backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,26 +74,27 @@ spec: forProvider: properties: address: - description: Specifies the address of the Nomad instance, provided - as "protocol://host:port" like "http://127.0.0.1:4646". Specifies - the address of the Nomad instance, provided as "protocol://host:port" - like "http://127.0.0.1:4646". + description: |- + Specifies the address of the Nomad instance, provided + as "protocol://host:port" like "http://127.0.0.1:4646". + Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646". type: string backend: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to nomad. The mount - path for the Nomad backend. + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to nomad. + The mount path for the Nomad backend. type: string caCert: - description: CA certificate to use when verifying the Nomad server - certificate, must be x509 PEM encoded. CA certificate to use - when verifying Nomad server certificate, must be x509 PEM encoded. + description: |- + CA certificate to use when verifying the Nomad server certificate, must be + x509 PEM encoded. + CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded. type: string clientCertSecretRef: - description: Client certificate to provide to the Nomad server, - must be x509 PEM encoded. Client certificate used for Nomad's - TLS communication, must be x509 PEM encoded and if this is set - you need to also set client_key. + description: |- + Client certificate to provide to the Nomad server, must be x509 PEM encoded. + Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key. properties: key: description: The key to select. @@ -104,10 +111,9 @@ spec: - namespace type: object clientKeySecretRef: - description: Client certificate key to provide to the Nomad server, - must be x509 PEM encoded. Client key used for Nomad's TLS communication, - must be x509 PEM encoded and if this is set you need to also - set client_cert. + description: |- + Client certificate key to provide to the Nomad server, must be x509 PEM encoded. + Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. properties: key: description: The key to select. @@ -124,53 +130,54 @@ spec: - namespace type: object defaultLeaseTtlSeconds: - description: Default lease duration for secrets in seconds. Default - lease duration for secrets in seconds. + description: |- + Default lease duration for secrets in seconds. + Default lease duration for secrets in seconds. type: number description: - description: Human-friendly description of the mount for the Active - Directory backend. Human-friendly description of the mount for - the backend. + description: |- + Human-friendly description of the mount for the Active Directory backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean local: - description: Mark the secrets engine as local-only. Local engines - are not replicated or removed by replication.Tolerance duration - to use when checking the last rotation time. Mark the secrets - engine as local-only. Local engines are not replicated or removed - by replication. Tolerance duration to use when checking the - last rotation time. + description: |- + Mark the secrets engine as local-only. Local engines are not replicated or removed by + replication.Tolerance duration to use when checking the last rotation time. + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time. type: boolean maxLeaseTtlSeconds: description: Maximum possible lease duration for secrets in seconds. type: number maxTokenNameLength: - description: Specifies the maximum length to use for the name - of the Nomad token generated with Generate Credential. If omitted, - 0 is used and ignored, defaulting to the max value allowed by - the Nomad version. Specifies the maximum length to use for the - name of the Nomad token generated with Generate Credential. - If omitted, 0 is used and ignored, defaulting to the max value - allowed by the Nomad version. + description: |- + Specifies the maximum length to use for the name of the Nomad token + generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed + by the Nomad version. + Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version. type: number maxTtl: - description: Maximum possible lease duration for secrets in seconds. + description: |- + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string tokenSecretRef: - description: Specifies the Nomad Management token to use. Specifies - the Nomad Management token to use. + description: |- + Specifies the Nomad Management token to use. + Specifies the Nomad Management token to use. properties: key: description: The key to select. @@ -187,106 +194,168 @@ spec: - namespace type: object ttl: - description: Specifies the ttl of the lease for the generated - token. Maximum possible lease duration for secrets in seconds. + description: |- + Specifies the ttl of the lease for the generated token. + Maximum possible lease duration for secrets in seconds. type: number type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: address: - description: Specifies the address of the Nomad instance, provided - as "protocol://host:port" like "http://127.0.0.1:4646". Specifies - the address of the Nomad instance, provided as "protocol://host:port" - like "http://127.0.0.1:4646". + description: |- + Specifies the address of the Nomad instance, provided + as "protocol://host:port" like "http://127.0.0.1:4646". + Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646". type: string backend: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to nomad. The mount - path for the Nomad backend. + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to nomad. + The mount path for the Nomad backend. type: string caCert: - description: CA certificate to use when verifying the Nomad server - certificate, must be x509 PEM encoded. CA certificate to use - when verifying Nomad server certificate, must be x509 PEM encoded. + description: |- + CA certificate to use when verifying the Nomad server certificate, must be + x509 PEM encoded. + CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded. type: string + clientCertSecretRef: + description: |- + Client certificate to provide to the Nomad server, must be x509 PEM encoded. + Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + clientKeySecretRef: + description: |- + Client certificate key to provide to the Nomad server, must be x509 PEM encoded. + Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object defaultLeaseTtlSeconds: - description: Default lease duration for secrets in seconds. Default - lease duration for secrets in seconds. + description: |- + Default lease duration for secrets in seconds. + Default lease duration for secrets in seconds. type: number description: - description: Human-friendly description of the mount for the Active - Directory backend. Human-friendly description of the mount for - the backend. + description: |- + Human-friendly description of the mount for the Active Directory backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean local: - description: Mark the secrets engine as local-only. Local engines - are not replicated or removed by replication.Tolerance duration - to use when checking the last rotation time. Mark the secrets - engine as local-only. Local engines are not replicated or removed - by replication. Tolerance duration to use when checking the - last rotation time. + description: |- + Mark the secrets engine as local-only. Local engines are not replicated or removed by + replication.Tolerance duration to use when checking the last rotation time. + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time. type: boolean maxLeaseTtlSeconds: description: Maximum possible lease duration for secrets in seconds. type: number maxTokenNameLength: - description: Specifies the maximum length to use for the name - of the Nomad token generated with Generate Credential. If omitted, - 0 is used and ignored, defaulting to the max value allowed by - the Nomad version. Specifies the maximum length to use for the - name of the Nomad token generated with Generate Credential. - If omitted, 0 is used and ignored, defaulting to the max value - allowed by the Nomad version. + description: |- + Specifies the maximum length to use for the name of the Nomad token + generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed + by the Nomad version. + Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version. type: number maxTtl: - description: Maximum possible lease duration for secrets in seconds. + description: |- + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string + tokenSecretRef: + description: |- + Specifies the Nomad Management token to use. + Specifies the Nomad Management token to use. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object ttl: - description: Specifies the ttl of the lease for the generated - token. Maximum possible lease duration for secrets in seconds. + description: |- + Specifies the ttl of the lease for the generated token. + Maximum possible lease duration for secrets in seconds. type: number type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -299,45 +368,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -347,21 +381,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -371,17 +405,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -391,21 +427,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -420,21 +456,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -445,14 +482,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -473,71 +511,74 @@ spec: atProvider: properties: address: - description: Specifies the address of the Nomad instance, provided - as "protocol://host:port" like "http://127.0.0.1:4646". Specifies - the address of the Nomad instance, provided as "protocol://host:port" - like "http://127.0.0.1:4646". + description: |- + Specifies the address of the Nomad instance, provided + as "protocol://host:port" like "http://127.0.0.1:4646". + Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646". type: string backend: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to nomad. The mount - path for the Nomad backend. + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to nomad. + The mount path for the Nomad backend. type: string caCert: - description: CA certificate to use when verifying the Nomad server - certificate, must be x509 PEM encoded. CA certificate to use - when verifying Nomad server certificate, must be x509 PEM encoded. + description: |- + CA certificate to use when verifying the Nomad server certificate, must be + x509 PEM encoded. + CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded. type: string defaultLeaseTtlSeconds: - description: Default lease duration for secrets in seconds. Default - lease duration for secrets in seconds. + description: |- + Default lease duration for secrets in seconds. + Default lease duration for secrets in seconds. type: number description: - description: Human-friendly description of the mount for the Active - Directory backend. Human-friendly description of the mount for - the backend. + description: |- + Human-friendly description of the mount for the Active Directory backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean id: type: string local: - description: Mark the secrets engine as local-only. Local engines - are not replicated or removed by replication.Tolerance duration - to use when checking the last rotation time. Mark the secrets - engine as local-only. Local engines are not replicated or removed - by replication. Tolerance duration to use when checking the - last rotation time. + description: |- + Mark the secrets engine as local-only. Local engines are not replicated or removed by + replication.Tolerance duration to use when checking the last rotation time. + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time. type: boolean maxLeaseTtlSeconds: description: Maximum possible lease duration for secrets in seconds. type: number maxTokenNameLength: - description: Specifies the maximum length to use for the name - of the Nomad token generated with Generate Credential. If omitted, - 0 is used and ignored, defaulting to the max value allowed by - the Nomad version. Specifies the maximum length to use for the - name of the Nomad token generated with Generate Credential. - If omitted, 0 is used and ignored, defaulting to the max value - allowed by the Nomad version. + description: |- + Specifies the maximum length to use for the name of the Nomad token + generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed + by the Nomad version. + Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version. type: number maxTtl: - description: Maximum possible lease duration for secrets in seconds. + description: |- + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string ttl: - description: Specifies the ttl of the lease for the generated - token. Maximum possible lease duration for secrets in seconds. + description: |- + Specifies the ttl of the lease for the generated token. + Maximum possible lease duration for secrets in seconds. type: number type: object conditions: @@ -546,14 +587,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -563,8 +613,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -573,6 +624,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/nomad.vault.upbound.io_secretroles.yaml b/package/crds/nomad.vault.upbound.io_secretroles.yaml index 4a3c9fe5..0ac25877 100644 --- a/package/crds/nomad.vault.upbound.io_secretroles.yaml +++ b/package/crds/nomad.vault.upbound.io_secretroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretroles.nomad.vault.upbound.io spec: group: nomad.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: role. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,103 +74,268 @@ spec: forProvider: properties: backend: - description: The unique path this backend should be mounted at. + description: |- + The unique path this backend should be mounted at. The mount path for the Nomad backend. type: string + backendRef: + description: Reference to a SecretBackend in nomad to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in nomad to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object global: - description: Specifies if the generated token should be global. - Defaults to false. Specifies if the token should be global. + description: |- + Specifies if the generated token should be global. Defaults to + false. + Specifies if the token should be global. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: List of policies attached to the generated token. - This setting is only used when type is 'client'. Comma separated - list of Nomad policies the token is going to be created against. - These need to be created beforehand in Nomad. + description: |- + List of policies attached to the generated token. This setting is only used + when type is 'client'. + Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad. items: type: string type: array role: - description: The name to identify this role within the backend. - Must be unique within the backend. Name of the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Name of the role. type: string type: - description: Specifies the type of token to create when using - this role. Valid settings are 'client' and 'management'. Defaults - to 'client'. Specifies the type of token to create when using - this role. Valid values are "client" or "management". + description: |- + Specifies the type of token to create when using this role. Valid + settings are 'client' and 'management'. Defaults to 'client'. + Specifies the type of token to create when using this role. Valid values are "client" or "management". type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The unique path this backend should be mounted at. + description: |- + The unique path this backend should be mounted at. The mount path for the Nomad backend. type: string + backendRef: + description: Reference to a SecretBackend in nomad to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in nomad to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object global: - description: Specifies if the generated token should be global. - Defaults to false. Specifies if the token should be global. + description: |- + Specifies if the generated token should be global. Defaults to + false. + Specifies if the token should be global. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: List of policies attached to the generated token. - This setting is only used when type is 'client'. Comma separated - list of Nomad policies the token is going to be created against. - These need to be created beforehand in Nomad. + description: |- + List of policies attached to the generated token. This setting is only used + when type is 'client'. + Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad. items: type: string type: array role: - description: The name to identify this role within the backend. - Must be unique within the backend. Name of the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Name of the role. type: string type: - description: Specifies the type of token to create when using - this role. Valid settings are 'client' and 'management'. Defaults - to 'client'. Specifies the type of token to create when using - this role. Valid values are "client" or "management". + description: |- + Specifies the type of token to create when using this role. Valid + settings are 'client' and 'management'. Defaults to 'client'. + Specifies the type of token to create when using this role. Valid values are "client" or "management". type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -177,9 +348,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -189,57 +361,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -249,17 +385,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -269,21 +407,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -298,21 +436,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -323,14 +462,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -346,53 +486,55 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: role is a required parameter + - message: spec.forProvider.role is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.role) - || has(self.initProvider.role)' + || (has(self.initProvider) && has(self.initProvider.role))' status: description: SecretRoleStatus defines the observed state of SecretRole. properties: atProvider: properties: backend: - description: The unique path this backend should be mounted at. + description: |- + The unique path this backend should be mounted at. The mount path for the Nomad backend. type: string global: - description: Specifies if the generated token should be global. - Defaults to false. Specifies if the token should be global. + description: |- + Specifies if the generated token should be global. Defaults to + false. + Specifies if the token should be global. type: boolean id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policies: - description: List of policies attached to the generated token. - This setting is only used when type is 'client'. Comma separated - list of Nomad policies the token is going to be created against. - These need to be created beforehand in Nomad. + description: |- + List of policies attached to the generated token. This setting is only used + when type is 'client'. + Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad. items: type: string type: array role: - description: The name to identify this role within the backend. - Must be unique within the backend. Name of the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Name of the role. type: string type: - description: Specifies the type of token to create when using - this role. Valid settings are 'client' and 'management'. Defaults - to 'client'. Specifies the type of token to create when using - this role. Valid values are "client" or "management". + description: |- + Specifies the type of token to create when using this role. Valid + settings are 'client' and 'management'. Defaults to 'client'. + Specifies the type of token to create when using this role. Valid values are "client" or "management". type: string type: object conditions: @@ -401,14 +543,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -418,8 +569,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -428,6 +580,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/okta.vault.upbound.io_authbackendgroups.yaml b/package/crds/okta.vault.upbound.io_authbackendgroups.yaml index e89bf55a..c0340862 100644 --- a/package/crds/okta.vault.upbound.io_authbackendgroups.yaml +++ b/package/crds/okta.vault.upbound.io_authbackendgroups.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendgroups.okta.vault.upbound.io spec: group: okta.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -81,19 +87,20 @@ spec: items: type: string type: array + x-kubernetes-list-type: set type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: groupName: description: Name of the Okta group @@ -109,24 +116,26 @@ spec: items: type: string type: array + x-kubernetes-list-type: set type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -139,45 +148,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -187,21 +161,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -211,17 +185,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -231,21 +207,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -260,21 +236,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -285,14 +262,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -308,14 +286,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: groupName is a required parameter + - message: spec.forProvider.groupName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.groupName) - || has(self.initProvider.groupName)' - - message: path is a required parameter + || (has(self.initProvider) && has(self.initProvider.groupName))' + - message: spec.forProvider.path is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.path))' status: description: AuthBackendGroupStatus defines the observed state of AuthBackendGroup. properties: @@ -337,6 +315,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set type: object conditions: description: Conditions of the resource. @@ -344,14 +323,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -361,8 +349,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -371,6 +360,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/okta.vault.upbound.io_authbackends.yaml b/package/crds/okta.vault.upbound.io_authbackends.yaml index 4fdc1224..d4fe5d3b 100644 --- a/package/crds/okta.vault.upbound.io_authbackends.yaml +++ b/package/crds/okta.vault.upbound.io_authbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackends.okta.vault.upbound.io spec: group: okta.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -37,14 +37,19 @@ spec: description: AuthBackend is the Schema for the AuthBackends API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,13 +58,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -90,6 +96,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set type: object type: array maxTtl: @@ -106,6 +113,36 @@ spec: path: description: path to mount the backend type: string + tokenBoundCidrs: + description: Specifies the blocks of IP addresses which are allowed + to use the generated token + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTtl: + description: Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: If true, the 'default' policy will not automatically + be added to generated tokens + type: boolean + tokenNumUses: + description: The maximum number of times a token may be used, + a value of zero means unlimited + type: number + tokenPeriod: + description: Generated Token's Period + type: number + tokenPolicies: + description: Generated Token's Policies + items: + type: string + type: array + x-kubernetes-list-type: set tokenSecretRef: description: The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally @@ -125,6 +162,12 @@ spec: - name - namespace type: object + tokenTtl: + description: The initial ttl of the token to generate in seconds + type: number + tokenType: + description: The type of token to generate, service or batch + type: string ttl: description: Duration after which authentication will be expired type: string @@ -135,27 +178,29 @@ spec: items: type: string type: array + x-kubernetes-list-type: set policies: items: type: string type: array + x-kubernetes-list-type: set username: type: string type: object type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: baseUrl: description: 'The Okta url. Examples: oktapreview.com, okta.com @@ -181,6 +226,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set type: object type: array maxTtl: @@ -197,6 +243,61 @@ spec: path: description: path to mount the backend type: string + tokenBoundCidrs: + description: Specifies the blocks of IP addresses which are allowed + to use the generated token + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTtl: + description: Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: If true, the 'default' policy will not automatically + be added to generated tokens + type: boolean + tokenNumUses: + description: The maximum number of times a token may be used, + a value of zero means unlimited + type: number + tokenPeriod: + description: Generated Token's Period + type: number + tokenPolicies: + description: Generated Token's Policies + items: + type: string + type: array + x-kubernetes-list-type: set + tokenSecretRef: + description: The Okta API token. This is required to query Okta + for user group membership. If this is not supplied only locally + configured groups will be enabled. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + tokenTtl: + description: The initial ttl of the token to generate in seconds + type: number + tokenType: + description: The type of token to generate, service or batch + type: string ttl: description: Duration after which authentication will be expired type: string @@ -207,10 +308,12 @@ spec: items: type: string type: array + x-kubernetes-list-type: set policies: items: type: string type: array + x-kubernetes-list-type: set username: type: string type: object @@ -219,20 +322,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -245,9 +349,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -257,57 +362,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -317,17 +386,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -337,21 +408,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -366,21 +437,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -391,14 +463,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -414,10 +487,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: organization is a required parameter + - message: spec.forProvider.organization is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.organization) - || has(self.initProvider.organization)' + || (has(self.initProvider) && has(self.initProvider.organization))' status: description: AuthBackendStatus defines the observed state of AuthBackend. properties: @@ -450,6 +523,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set type: object type: array id: @@ -468,6 +542,42 @@ spec: path: description: path to mount the backend type: string + tokenBoundCidrs: + description: Specifies the blocks of IP addresses which are allowed + to use the generated token + items: + type: string + type: array + x-kubernetes-list-type: set + tokenExplicitMaxTtl: + description: Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: If true, the 'default' policy will not automatically + be added to generated tokens + type: boolean + tokenNumUses: + description: The maximum number of times a token may be used, + a value of zero means unlimited + type: number + tokenPeriod: + description: Generated Token's Period + type: number + tokenPolicies: + description: Generated Token's Policies + items: + type: string + type: array + x-kubernetes-list-type: set + tokenTtl: + description: The initial ttl of the token to generate in seconds + type: number + tokenType: + description: The type of token to generate, service or batch + type: string ttl: description: Duration after which authentication will be expired type: string @@ -478,10 +588,12 @@ spec: items: type: string type: array + x-kubernetes-list-type: set policies: items: type: string type: array + x-kubernetes-list-type: set username: type: string type: object @@ -493,14 +605,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -510,8 +631,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -520,6 +642,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/okta.vault.upbound.io_authbackendusers.yaml b/package/crds/okta.vault.upbound.io_authbackendusers.yaml index cde69c8d..c018af12 100644 --- a/package/crds/okta.vault.upbound.io_authbackendusers.yaml +++ b/package/crds/okta.vault.upbound.io_authbackendusers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendusers.okta.vault.upbound.io spec: group: okta.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: value> properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -73,6 +79,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set namespace: description: Target namespace. (requires Enterprise) type: string @@ -84,22 +91,23 @@ spec: items: type: string type: array + x-kubernetes-list-type: set username: description: Name of the user within Okta type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: groups: description: Groups within the Okta auth backend to associate @@ -107,6 +115,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set namespace: description: Target namespace. (requires Enterprise) type: string @@ -118,6 +127,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set username: description: Name of the user within Okta type: string @@ -125,20 +135,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -151,45 +162,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -199,21 +175,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -223,17 +199,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -243,21 +221,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -272,21 +250,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -297,14 +276,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -320,14 +300,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: path is a required parameter + - message: spec.forProvider.path is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' - - message: username is a required parameter + || (has(self.initProvider) && has(self.initProvider.path))' + - message: spec.forProvider.username is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.username) - || has(self.initProvider.username)' + || (has(self.initProvider) && has(self.initProvider.username))' status: description: AuthBackendUserStatus defines the observed state of AuthBackendUser. properties: @@ -339,6 +319,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set id: type: string namespace: @@ -352,6 +333,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: set username: description: Name of the user within Okta type: string @@ -362,14 +344,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -379,8 +370,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -389,6 +381,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/password.vault.upbound.io_policies.yaml b/package/crds/password.vault.upbound.io_policies.yaml index 0b600eeb..a0fd24ae 100644 --- a/package/crds/password.vault.upbound.io_policies.yaml +++ b/package/crds/password.vault.upbound.io_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.password.vault.upbound.io spec: group: password.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: for Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,67 +74,74 @@ spec: forProvider: properties: name: - description: The name of the password policy. Name of the password - policy. + description: |- + The name of the password policy. + Name of the password policy. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policy: - description: String containing a password policy. The password - policy document + description: |- + String containing a password policy. + The password policy document type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: name: - description: The name of the password policy. Name of the password - policy. + description: |- + The name of the password policy. + Name of the password policy. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policy: - description: String containing a password policy. The password - policy document + description: |- + String containing a password policy. + The password policy document type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -141,45 +154,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -189,21 +167,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -213,17 +191,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -233,21 +213,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -262,21 +242,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -287,14 +268,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -310,14 +292,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: policy is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.policy is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.policy) - || has(self.initProvider.policy)' + || (has(self.initProvider) && has(self.initProvider.policy))' status: description: PolicyStatus defines the observed state of Policy. properties: @@ -326,19 +308,22 @@ spec: id: type: string name: - description: The name of the password policy. Name of the password - policy. + description: |- + The name of the password policy. + Name of the password policy. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policy: - description: String containing a password policy. The password - policy document + description: |- + String containing a password policy. + The password policy document type: string type: object conditions: @@ -347,14 +332,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -364,8 +358,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -374,6 +369,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml b/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml index f2c26dc7..0fc83cf2 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendcerts.pki.vault.upbound.io spec: group: pki.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Generate an PKI certificate. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,33 +74,115 @@ spec: forProvider: properties: altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array autoRenew: - description: If set to true, certs will be renewed if the expiration - is within min_seconds_remaining. Default false If enabled, a - new certificate will be generated if the expiration is within - min_seconds_remaining + description: |- + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false + If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining type: boolean backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object commonName: - description: CN of certificate to create CN of the certificate - to create. + description: |- + CN of certificate to create + CN of the certificate to create. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array @@ -102,89 +190,259 @@ spec: description: Specifies the default issuer of this request. type: string minSecondsRemaining: - description: Generate a new certificate when the expiration is - within this number of seconds, default is 604800 (7 days) Generate - a new certificate when the expiration is within this number - of seconds + description: |- + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) + Generate a new certificate when the expiration is within this number of seconds type: number name: - description: Name of the role to create the certificate against + description: |- + Name of the role to create the certificate against Name of the role to create the certificate against. type: string + nameRef: + description: Reference to a SecretBackendRole in pki to populate + name. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + nameSelector: + description: Selector for a SecretBackendRole in pki to populate + name. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array privateKeyFormat: - description: The private key format The private key format. + description: |- + The private key format + The private key format. type: string revoke: - description: If set to true, the certificate will be revoked on - resource destruction. Revoke the certificate upon resource destruction. + description: |- + If set to true, the certificate will be revoked on resource destruction. + Revoke the certificate upon resource destruction. type: boolean ttl: - description: Time to live Time to live. + description: |- + Time to live + Time to live. type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array userIds: - description: List of Subject User IDs List of Subject User IDs. + description: |- + List of Subject User IDs + List of Subject User IDs. items: type: string type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array autoRenew: - description: If set to true, certs will be renewed if the expiration - is within min_seconds_remaining. Default false If enabled, a - new certificate will be generated if the expiration is within - min_seconds_remaining + description: |- + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false + If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining type: boolean backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object commonName: - description: CN of certificate to create CN of the certificate - to create. + description: |- + CN of certificate to create + CN of the certificate to create. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array @@ -192,44 +450,132 @@ spec: description: Specifies the default issuer of this request. type: string minSecondsRemaining: - description: Generate a new certificate when the expiration is - within this number of seconds, default is 604800 (7 days) Generate - a new certificate when the expiration is within this number - of seconds + description: |- + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) + Generate a new certificate when the expiration is within this number of seconds type: number name: - description: Name of the role to create the certificate against + description: |- + Name of the role to create the certificate against Name of the role to create the certificate against. type: string + nameRef: + description: Reference to a SecretBackendRole in pki to populate + name. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + nameSelector: + description: Selector for a SecretBackendRole in pki to populate + name. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array privateKeyFormat: - description: The private key format The private key format. + description: |- + The private key format + The private key format. type: string revoke: - description: If set to true, the certificate will be revoked on - resource destruction. Revoke the certificate upon resource destruction. + description: |- + If set to true, the certificate will be revoked on resource destruction. + Revoke the certificate upon resource destruction. type: boolean ttl: - description: Time to live Time to live. + description: |- + Time to live + Time to live. type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array userIds: - description: List of Subject User IDs List of Subject User IDs. + description: |- + List of Subject User IDs + List of Subject User IDs. items: type: string type: array @@ -237,20 +583,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -263,9 +610,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -275,57 +623,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -335,17 +647,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -355,21 +669,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -384,21 +698,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -409,14 +724,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -432,63 +748,68 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: commonName is a required parameter + - message: spec.forProvider.commonName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.commonName) - || has(self.initProvider.commonName)' - - message: name is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.commonName))' status: description: SecretBackendCertStatus defines the observed state of SecretBackendCert. properties: atProvider: properties: altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array autoRenew: - description: If set to true, certs will be renewed if the expiration - is within min_seconds_remaining. Default false If enabled, a - new certificate will be generated if the expiration is within - min_seconds_remaining + description: |- + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false + If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining type: boolean backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string caChain: - description: The CA chain The CA chain. + description: |- + The CA chain + The CA chain. type: string certificate: - description: The certificate The certicate. + description: |- + The certificate + The certicate. type: string commonName: - description: CN of certificate to create CN of the certificate - to create. + description: |- + CN of certificate to create + CN of the certificate to create. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean expiration: - description: The expiration date of the certificate in unix epoch - format The certificate expiration as a Unix-style timestamp. + description: |- + The expiration date of the certificate in unix epoch format + The certificate expiration as a Unix-style timestamp. type: number format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string id: type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array @@ -496,61 +817,76 @@ spec: description: Specifies the default issuer of this request. type: string issuingCa: - description: The issuing CA The issuing CA. + description: |- + The issuing CA + The issuing CA. type: string minSecondsRemaining: - description: Generate a new certificate when the expiration is - within this number of seconds, default is 604800 (7 days) Generate - a new certificate when the expiration is within this number - of seconds + description: |- + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) + Generate a new certificate when the expiration is within this number of seconds type: number name: - description: Name of the role to create the certificate against + description: |- + Name of the role to create the certificate against Name of the role to create the certificate against. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array privateKeyFormat: - description: The private key format The private key format. + description: |- + The private key format + The private key format. type: string privateKeyType: - description: The private key type The private key type. + description: |- + The private key type + The private key type. type: string renewPending: - description: true if the current time (during refresh) is after - the start of the early renewal window declared by min_seconds_remaining, - and false otherwise; if auto_renew is set to true then the provider - will plan to replace the certificate once renewal is pending. - Initially false, and then set to true during refresh once the - expiration is less than min_seconds_remaining in the future. + description: |- + true if the current time (during refresh) is after the start of the early renewal window declared by min_seconds_remaining, and false otherwise; if auto_renew is set to true then the provider will plan to replace the certificate once renewal is pending. + Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future. type: boolean revoke: - description: If set to true, the certificate will be revoked on - resource destruction. Revoke the certificate upon resource destruction. + description: |- + If set to true, the certificate will be revoked on resource destruction. + Revoke the certificate upon resource destruction. type: boolean serialNumber: - description: The serial number The serial number. + description: |- + The serial number + The serial number. type: string ttl: - description: Time to live Time to live. + description: |- + Time to live + Time to live. type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array userIds: - description: List of Subject User IDs List of Subject User IDs. + description: |- + List of Subject User IDs + List of Subject User IDs. items: type: string type: array @@ -561,14 +897,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -578,8 +923,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -588,6 +934,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/pki.vault.upbound.io_secretbackendconfigcas.yaml b/package/crds/pki.vault.upbound.io_secretbackendconfigcas.yaml index 5d7b9aaa..e5b8473d 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendconfigcas.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendconfigcas.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendconfigcas.pki.vault.upbound.io spec: group: pki.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Submit the CA information to PKI. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,19 +74,96 @@ spec: forProvider: properties: backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pemBundleSecretRef: - description: The key and certificate PEM bundle The key and certificate - PEM bundle. + description: |- + The key and certificate PEM bundle + The key and certificate PEM bundle. properties: key: description: The key to select. @@ -98,47 +181,145 @@ spec: type: object type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string + pemBundleSecretRef: + description: |- + The key and certificate PEM bundle + The key and certificate PEM bundle. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + required: + - pemBundleSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -151,45 +332,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -199,21 +345,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -223,17 +369,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -243,21 +391,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -272,21 +420,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -297,14 +446,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -320,11 +470,7 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: pemBundleSecretRef is a required parameter + - message: spec.forProvider.pemBundleSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.pemBundleSecretRef)' status: @@ -334,17 +480,19 @@ spec: atProvider: properties: backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -353,14 +501,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -370,8 +527,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -380,6 +538,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml b/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml index a910d047..13b45405 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendconfigurls.pki.vault.upbound.io spec: group: pki.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Sets the config URL's on an PKI Secret Backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,13 +60,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -69,79 +75,241 @@ spec: forProvider: properties: backend: - description: The path the PKI secret backend is mounted at, with - no leading or trailing /s. The path of the PKI secret backend - the resource belongs to. + description: |- + The path the PKI secret backend is mounted at, with no leading or trailing /s. + The path of the PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object crlDistributionPoints: - description: Specifies the URL values for the CRL Distribution - Points field. Specifies the URL values for the CRL Distribution - Points field. + description: |- + Specifies the URL values for the CRL Distribution Points field. + Specifies the URL values for the CRL Distribution Points field. items: type: string type: array + enableTemplating: + description: |- + Specifies that templating of AIA fields is allowed. + Specifies that templating of AIA fields is allowed. + type: boolean issuingCertificates: - description: Specifies the URL values for the Issuing Certificate - field. Specifies the URL values for the Issuing Certificate - field. + description: |- + Specifies the URL values for the Issuing Certificate field. + Specifies the URL values for the Issuing Certificate field. items: type: string type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string ocspServers: - description: Specifies the URL values for the OCSP Servers field. + description: |- + Specifies the URL values for the OCSP Servers field. Specifies the URL values for the OCSP Servers field. items: type: string type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The path the PKI secret backend is mounted at, with - no leading or trailing /s. The path of the PKI secret backend - the resource belongs to. + description: |- + The path the PKI secret backend is mounted at, with no leading or trailing /s. + The path of the PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object crlDistributionPoints: - description: Specifies the URL values for the CRL Distribution - Points field. Specifies the URL values for the CRL Distribution - Points field. + description: |- + Specifies the URL values for the CRL Distribution Points field. + Specifies the URL values for the CRL Distribution Points field. items: type: string type: array + enableTemplating: + description: |- + Specifies that templating of AIA fields is allowed. + Specifies that templating of AIA fields is allowed. + type: boolean issuingCertificates: - description: Specifies the URL values for the Issuing Certificate - field. Specifies the URL values for the Issuing Certificate - field. + description: |- + Specifies the URL values for the Issuing Certificate field. + Specifies the URL values for the Issuing Certificate field. items: type: string type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string ocspServers: - description: Specifies the URL values for the OCSP Servers field. + description: |- + Specifies the URL values for the OCSP Servers field. Specifies the URL values for the OCSP Servers field. items: type: string @@ -150,20 +318,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -176,45 +345,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -224,21 +358,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -248,17 +382,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -268,21 +404,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -297,21 +433,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -322,14 +459,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -344,11 +482,6 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' status: description: SecretBackendConfigUrlsStatus defines the observed state of SecretBackendConfigUrls. @@ -356,35 +489,42 @@ spec: atProvider: properties: backend: - description: The path the PKI secret backend is mounted at, with - no leading or trailing /s. The path of the PKI secret backend - the resource belongs to. + description: |- + The path the PKI secret backend is mounted at, with no leading or trailing /s. + The path of the PKI secret backend the resource belongs to. type: string crlDistributionPoints: - description: Specifies the URL values for the CRL Distribution - Points field. Specifies the URL values for the CRL Distribution - Points field. + description: |- + Specifies the URL values for the CRL Distribution Points field. + Specifies the URL values for the CRL Distribution Points field. items: type: string type: array + enableTemplating: + description: |- + Specifies that templating of AIA fields is allowed. + Specifies that templating of AIA fields is allowed. + type: boolean id: type: string issuingCertificates: - description: Specifies the URL values for the Issuing Certificate - field. Specifies the URL values for the Issuing Certificate - field. + description: |- + Specifies the URL values for the Issuing Certificate field. + Specifies the URL values for the Issuing Certificate field. items: type: string type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string ocspServers: - description: Specifies the URL values for the OCSP Servers field. + description: |- + Specifies the URL values for the OCSP Servers field. Specifies the URL values for the OCSP Servers field. items: type: string @@ -396,14 +536,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -413,8 +562,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -423,6 +573,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/pki.vault.upbound.io_secretbackendcrlconfigs.yaml b/package/crds/pki.vault.upbound.io_secretbackendcrlconfigs.yaml index 6bd7142b..ef44ef28 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendcrlconfigs.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendcrlconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendcrlconfigs.pki.vault.upbound.io spec: group: pki.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Sets the CRL config on an PKI Secret Backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,167 +74,328 @@ spec: forProvider: properties: autoRebuild: - description: Enables periodic rebuilding of the CRL upon expiry. - Vault 1.12+ Enables or disables periodic rebuilding of the CRL - upon expiry. + description: |- + Enables periodic rebuilding of the CRL upon expiry. Vault 1.12+ + Enables or disables periodic rebuilding of the CRL upon expiry. type: boolean autoRebuildGracePeriod: - description: Grace period before CRL expiry to attempt rebuild - of CRL. Vault 1.12+ Grace period before CRL expiry to attempt - rebuild of CRL. + description: |- + Grace period before CRL expiry to attempt rebuild of CRL. Vault 1.12+ + Grace period before CRL expiry to attempt rebuild of CRL. type: string backend: - description: The path the PKI secret backend is mounted at, with - no leading or trailing /s. The path of the PKI secret backend - the resource belongs to. + description: |- + The path the PKI secret backend is mounted at, with no leading or trailing /s. + The path of the PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object crossClusterRevocation: - description: Enable cross-cluster revocation request queues. Vault - 1.13+ Enable cross-cluster revocation request queues. + description: |- + Enable cross-cluster revocation request queues. Vault 1.13+ + Enable cross-cluster revocation request queues. type: boolean deltaRebuildInterval: - description: Interval to check for new revocations on, to regenerate - the delta CRL. Interval to check for new revocations on, to - regenerate the delta CRL. + description: |- + Interval to check for new revocations on, to regenerate the delta CRL. + Interval to check for new revocations on, to regenerate the delta CRL. type: string disable: - description: Disables or enables CRL building. Disables or enables - CRL building + description: |- + Disables or enables CRL building. + Disables or enables CRL building type: boolean enableDelta: - description: Enables building of delta CRLs with up-to-date revocation - information, augmenting the last complete CRL. Vault 1.12+ - Enables or disables building of delta CRLs with up-to-date revocation - information, augmenting the last complete CRL. + description: |- + Enables building of delta CRLs with up-to-date revocation information, + augmenting the last complete CRL. Vault 1.12+ + Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL. type: boolean expiry: - description: Specifies the time until expiration. Specifies the - time until expiration. + description: |- + Specifies the time until expiration. + Specifies the time until expiration. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string ocspDisable: - description: Disables the OCSP responder in Vault. Vault 1.12+ + description: |- + Disables the OCSP responder in Vault. Vault 1.12+ Disables or enables the OCSP responder in Vault. type: boolean ocspExpiry: - description: The amount of time an OCSP response can be cached - for, useful for OCSP stapling refresh durations. Vault 1.12+ - The amount of time an OCSP response can be cached for, useful - for OCSP stapling refresh durations. + description: |- + The amount of time an OCSP response can be cached for, useful for OCSP stapling + refresh durations. Vault 1.12+ + The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations. type: string unifiedCrl: - description: Enables unified CRL and OCSP building. Vault 1.13+ + description: |- + Enables unified CRL and OCSP building. Vault 1.13+ Enables unified CRL and OCSP building. type: boolean unifiedCrlOnExistingPaths: - description: Enables serving the unified CRL and OCSP on the existing, - previously cluster-local paths. Vault 1.13+ Enables serving - the unified CRL and OCSP on the existing, previously cluster-local - paths. + description: |- + Enables serving the unified CRL and OCSP on the existing, previously + cluster-local paths. Vault 1.13+ + Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths. type: boolean type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: autoRebuild: - description: Enables periodic rebuilding of the CRL upon expiry. - Vault 1.12+ Enables or disables periodic rebuilding of the CRL - upon expiry. + description: |- + Enables periodic rebuilding of the CRL upon expiry. Vault 1.12+ + Enables or disables periodic rebuilding of the CRL upon expiry. type: boolean autoRebuildGracePeriod: - description: Grace period before CRL expiry to attempt rebuild - of CRL. Vault 1.12+ Grace period before CRL expiry to attempt - rebuild of CRL. + description: |- + Grace period before CRL expiry to attempt rebuild of CRL. Vault 1.12+ + Grace period before CRL expiry to attempt rebuild of CRL. type: string backend: - description: The path the PKI secret backend is mounted at, with - no leading or trailing /s. The path of the PKI secret backend - the resource belongs to. + description: |- + The path the PKI secret backend is mounted at, with no leading or trailing /s. + The path of the PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object crossClusterRevocation: - description: Enable cross-cluster revocation request queues. Vault - 1.13+ Enable cross-cluster revocation request queues. + description: |- + Enable cross-cluster revocation request queues. Vault 1.13+ + Enable cross-cluster revocation request queues. type: boolean deltaRebuildInterval: - description: Interval to check for new revocations on, to regenerate - the delta CRL. Interval to check for new revocations on, to - regenerate the delta CRL. + description: |- + Interval to check for new revocations on, to regenerate the delta CRL. + Interval to check for new revocations on, to regenerate the delta CRL. type: string disable: - description: Disables or enables CRL building. Disables or enables - CRL building + description: |- + Disables or enables CRL building. + Disables or enables CRL building type: boolean enableDelta: - description: Enables building of delta CRLs with up-to-date revocation - information, augmenting the last complete CRL. Vault 1.12+ - Enables or disables building of delta CRLs with up-to-date revocation - information, augmenting the last complete CRL. + description: |- + Enables building of delta CRLs with up-to-date revocation information, + augmenting the last complete CRL. Vault 1.12+ + Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL. type: boolean expiry: - description: Specifies the time until expiration. Specifies the - time until expiration. + description: |- + Specifies the time until expiration. + Specifies the time until expiration. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string ocspDisable: - description: Disables the OCSP responder in Vault. Vault 1.12+ + description: |- + Disables the OCSP responder in Vault. Vault 1.12+ Disables or enables the OCSP responder in Vault. type: boolean ocspExpiry: - description: The amount of time an OCSP response can be cached - for, useful for OCSP stapling refresh durations. Vault 1.12+ - The amount of time an OCSP response can be cached for, useful - for OCSP stapling refresh durations. + description: |- + The amount of time an OCSP response can be cached for, useful for OCSP stapling + refresh durations. Vault 1.12+ + The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations. type: string unifiedCrl: - description: Enables unified CRL and OCSP building. Vault 1.13+ + description: |- + Enables unified CRL and OCSP building. Vault 1.13+ Enables unified CRL and OCSP building. type: boolean unifiedCrlOnExistingPaths: - description: Enables serving the unified CRL and OCSP on the existing, - previously cluster-local paths. Vault 1.13+ Enables serving - the unified CRL and OCSP on the existing, previously cluster-local - paths. + description: |- + Enables serving the unified CRL and OCSP on the existing, previously + cluster-local paths. Vault 1.13+ + Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths. type: boolean type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -241,45 +408,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -289,21 +421,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -313,17 +445,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -333,21 +467,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -362,21 +496,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -387,14 +522,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -409,11 +545,6 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' status: description: SecretBackendCrlConfigStatus defines the observed state of SecretBackendCrlConfig. @@ -421,71 +552,77 @@ spec: atProvider: properties: autoRebuild: - description: Enables periodic rebuilding of the CRL upon expiry. - Vault 1.12+ Enables or disables periodic rebuilding of the CRL - upon expiry. + description: |- + Enables periodic rebuilding of the CRL upon expiry. Vault 1.12+ + Enables or disables periodic rebuilding of the CRL upon expiry. type: boolean autoRebuildGracePeriod: - description: Grace period before CRL expiry to attempt rebuild - of CRL. Vault 1.12+ Grace period before CRL expiry to attempt - rebuild of CRL. + description: |- + Grace period before CRL expiry to attempt rebuild of CRL. Vault 1.12+ + Grace period before CRL expiry to attempt rebuild of CRL. type: string backend: - description: The path the PKI secret backend is mounted at, with - no leading or trailing /s. The path of the PKI secret backend - the resource belongs to. + description: |- + The path the PKI secret backend is mounted at, with no leading or trailing /s. + The path of the PKI secret backend the resource belongs to. type: string crossClusterRevocation: - description: Enable cross-cluster revocation request queues. Vault - 1.13+ Enable cross-cluster revocation request queues. + description: |- + Enable cross-cluster revocation request queues. Vault 1.13+ + Enable cross-cluster revocation request queues. type: boolean deltaRebuildInterval: - description: Interval to check for new revocations on, to regenerate - the delta CRL. Interval to check for new revocations on, to - regenerate the delta CRL. + description: |- + Interval to check for new revocations on, to regenerate the delta CRL. + Interval to check for new revocations on, to regenerate the delta CRL. type: string disable: - description: Disables or enables CRL building. Disables or enables - CRL building + description: |- + Disables or enables CRL building. + Disables or enables CRL building type: boolean enableDelta: - description: Enables building of delta CRLs with up-to-date revocation - information, augmenting the last complete CRL. Vault 1.12+ - Enables or disables building of delta CRLs with up-to-date revocation - information, augmenting the last complete CRL. + description: |- + Enables building of delta CRLs with up-to-date revocation information, + augmenting the last complete CRL. Vault 1.12+ + Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL. type: boolean expiry: - description: Specifies the time until expiration. Specifies the - time until expiration. + description: |- + Specifies the time until expiration. + Specifies the time until expiration. type: string id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string ocspDisable: - description: Disables the OCSP responder in Vault. Vault 1.12+ + description: |- + Disables the OCSP responder in Vault. Vault 1.12+ Disables or enables the OCSP responder in Vault. type: boolean ocspExpiry: - description: The amount of time an OCSP response can be cached - for, useful for OCSP stapling refresh durations. Vault 1.12+ - The amount of time an OCSP response can be cached for, useful - for OCSP stapling refresh durations. + description: |- + The amount of time an OCSP response can be cached for, useful for OCSP stapling + refresh durations. Vault 1.12+ + The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations. type: string unifiedCrl: - description: Enables unified CRL and OCSP building. Vault 1.13+ + description: |- + Enables unified CRL and OCSP building. Vault 1.13+ Enables unified CRL and OCSP building. type: boolean unifiedCrlOnExistingPaths: - description: Enables serving the unified CRL and OCSP on the existing, - previously cluster-local paths. Vault 1.13+ Enables serving - the unified CRL and OCSP on the existing, previously cluster-local - paths. + description: |- + Enables serving the unified CRL and OCSP on the existing, previously + cluster-local paths. Vault 1.13+ + Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths. type: boolean type: object conditions: @@ -494,14 +631,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -511,8 +657,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -521,6 +668,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml b/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml index 521c6b8c..0335b3d9 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendintermediatecertrequests.pki.vault.upbound.io spec: group: pki.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Generate a new private key and a CSR for signing the PKI. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,13 +60,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -69,234 +75,452 @@ spec: forProvider: properties: addBasicConstraints: - description: 'Adds a Basic Constraints extension with ''CA: true''. - Only needed as a workaround in some compatibility scenarios - with Active Directory Certificate Services Set ''CA: true'' - in a Basic Constraints extension. Only needed as a workaround - in some compatibility scenarios with Active Directory Certificate - Services.' + description: |- + Adds a Basic Constraints extension with 'CA: true'. + Only needed as a workaround in some compatibility scenarios with Active Directory + Certificate Services + Set 'CA: true' in a Basic Constraints extension. Only needed as + a workaround in some compatibility scenarios with Active Directory Certificate Services. type: boolean altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object commonName: - description: CN of intermediate to create CN of intermediate to - create. + description: |- + CN of intermediate to create + CN of intermediate to create. type: string country: - description: The country The country. + description: |- + The country + The country. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array keyBits: - description: The number of bits to use The number of bits to use. + description: |- + The number of bits to use + The number of bits to use. type: number keyName: - description: When a new key is created with this request, optionally - specifies the name for this. The global ref default may not - be used as a name. When a new key is created with this request, - optionally specifies the name for this. + description: |- + When a new key is created with this request, optionally specifies + the name for this. The global ref default may not be used as a name. + When a new key is created with this request, optionally specifies the name for this. type: string keyRef: - description: Specifies the key (either default, by name, or by - identifier) to use for generating this request. Only suitable - for type=existing requests. Specifies the key to use for generating - this request. + description: |- + Specifies the key (either default, by name, or by identifier) to use + for generating this request. Only suitable for type=existing requests. + Specifies the key to use for generating this request. type: string keyType: - description: The desired key type The desired key type. + description: |- + The desired key type + The desired key type. type: string locality: - description: The locality The locality. + description: |- + The locality + The locality. type: string managedKeyId: - description: The ID of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_name The ID of the previously configured managed - key. + description: |- + The ID of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_name + The ID of the previously configured managed key. type: string managedKeyName: - description: The name of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_id The name of the previously configured managed - key. + description: |- + The name of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_id + The name of the previously configured managed key. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: The organization The organization. + description: |- + The organization + The organization. type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array ou: - description: The organization unit The organization unit. + description: |- + The organization unit + The organization unit. type: string postalCode: - description: The postal code The postal code. + description: |- + The postal code + The postal code. type: string privateKeyFormat: - description: The private key format The private key format. + description: |- + The private key format + The private key format. type: string province: - description: The province The province. + description: |- + The province + The province. type: string streetAddress: - description: The street address The street address. + description: |- + The street address + The street address. type: string type: - description: Type of intermediate to create. Must be either "exported" - or "internal" or "kms" Type of intermediate to create. Must - be either "existing", "exported", "internal" or "kms" + description: |- + Type of intermediate to create. Must be either "exported" or "internal" + or "kms" + Type of intermediate to create. Must be either "existing", "exported", "internal" or "kms" type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: addBasicConstraints: - description: 'Adds a Basic Constraints extension with ''CA: true''. - Only needed as a workaround in some compatibility scenarios - with Active Directory Certificate Services Set ''CA: true'' - in a Basic Constraints extension. Only needed as a workaround - in some compatibility scenarios with Active Directory Certificate - Services.' + description: |- + Adds a Basic Constraints extension with 'CA: true'. + Only needed as a workaround in some compatibility scenarios with Active Directory + Certificate Services + Set 'CA: true' in a Basic Constraints extension. Only needed as + a workaround in some compatibility scenarios with Active Directory Certificate Services. type: boolean altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object commonName: - description: CN of intermediate to create CN of intermediate to - create. + description: |- + CN of intermediate to create + CN of intermediate to create. type: string country: - description: The country The country. + description: |- + The country + The country. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array keyBits: - description: The number of bits to use The number of bits to use. + description: |- + The number of bits to use + The number of bits to use. type: number keyName: - description: When a new key is created with this request, optionally - specifies the name for this. The global ref default may not - be used as a name. When a new key is created with this request, - optionally specifies the name for this. + description: |- + When a new key is created with this request, optionally specifies + the name for this. The global ref default may not be used as a name. + When a new key is created with this request, optionally specifies the name for this. type: string keyRef: - description: Specifies the key (either default, by name, or by - identifier) to use for generating this request. Only suitable - for type=existing requests. Specifies the key to use for generating - this request. + description: |- + Specifies the key (either default, by name, or by identifier) to use + for generating this request. Only suitable for type=existing requests. + Specifies the key to use for generating this request. type: string keyType: - description: The desired key type The desired key type. + description: |- + The desired key type + The desired key type. type: string locality: - description: The locality The locality. + description: |- + The locality + The locality. type: string managedKeyId: - description: The ID of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_name The ID of the previously configured managed - key. + description: |- + The ID of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_name + The ID of the previously configured managed key. type: string managedKeyName: - description: The name of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_id The name of the previously configured managed - key. + description: |- + The name of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_id + The name of the previously configured managed key. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: The organization The organization. + description: |- + The organization + The organization. type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array ou: - description: The organization unit The organization unit. + description: |- + The organization unit + The organization unit. type: string postalCode: - description: The postal code The postal code. + description: |- + The postal code + The postal code. type: string privateKeyFormat: - description: The private key format The private key format. + description: |- + The private key format + The private key format. type: string province: - description: The province The province. + description: |- + The province + The province. type: string streetAddress: - description: The street address The street address. + description: |- + The street address + The street address. type: string type: - description: Type of intermediate to create. Must be either "exported" - or "internal" or "kms" Type of intermediate to create. Must - be either "existing", "exported", "internal" or "kms" + description: |- + Type of intermediate to create. Must be either "exported" or "internal" + or "kms" + Type of intermediate to create. Must be either "existing", "exported", "internal" or "kms" type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array @@ -304,20 +528,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -330,9 +555,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -342,57 +568,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -402,17 +592,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -422,21 +614,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -451,21 +643,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -476,14 +669,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -499,18 +693,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: commonName is a required parameter + - message: spec.forProvider.commonName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.commonName) - || has(self.initProvider.commonName)' - - message: type is a required parameter + || (has(self.initProvider) && has(self.initProvider.commonName))' + - message: spec.forProvider.type is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.type) - || has(self.initProvider.type)' + || (has(self.initProvider) && has(self.initProvider.type))' status: description: SecretBackendIntermediateCertRequestStatus defines the observed state of SecretBackendIntermediateCertRequest. @@ -518,123 +708,163 @@ spec: atProvider: properties: addBasicConstraints: - description: 'Adds a Basic Constraints extension with ''CA: true''. - Only needed as a workaround in some compatibility scenarios - with Active Directory Certificate Services Set ''CA: true'' - in a Basic Constraints extension. Only needed as a workaround - in some compatibility scenarios with Active Directory Certificate - Services.' + description: |- + Adds a Basic Constraints extension with 'CA: true'. + Only needed as a workaround in some compatibility scenarios with Active Directory + Certificate Services + Set 'CA: true' in a Basic Constraints extension. Only needed as + a workaround in some compatibility scenarios with Active Directory Certificate Services. type: boolean altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string commonName: - description: CN of intermediate to create CN of intermediate to - create. + description: |- + CN of intermediate to create + CN of intermediate to create. type: string country: - description: The country The country. + description: |- + The country + The country. type: string csr: - description: The CSR The CSR. + description: |- + The CSR + The CSR. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string id: type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array keyBits: - description: The number of bits to use The number of bits to use. + description: |- + The number of bits to use + The number of bits to use. type: number keyId: - description: The ID of the generated key. The ID of the generated - key. + description: |- + The ID of the generated key. + The ID of the generated key. type: string keyName: - description: When a new key is created with this request, optionally - specifies the name for this. The global ref default may not - be used as a name. When a new key is created with this request, - optionally specifies the name for this. + description: |- + When a new key is created with this request, optionally specifies + the name for this. The global ref default may not be used as a name. + When a new key is created with this request, optionally specifies the name for this. type: string keyRef: - description: Specifies the key (either default, by name, or by - identifier) to use for generating this request. Only suitable - for type=existing requests. Specifies the key to use for generating - this request. + description: |- + Specifies the key (either default, by name, or by identifier) to use + for generating this request. Only suitable for type=existing requests. + Specifies the key to use for generating this request. type: string keyType: - description: The desired key type The desired key type. + description: |- + The desired key type + The desired key type. type: string locality: - description: The locality The locality. + description: |- + The locality + The locality. type: string managedKeyId: - description: The ID of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_name The ID of the previously configured managed - key. + description: |- + The ID of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_name + The ID of the previously configured managed key. type: string managedKeyName: - description: The name of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_id The name of the previously configured managed - key. + description: |- + The name of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_id + The name of the previously configured managed key. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: The organization The organization. + description: |- + The organization + The organization. type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array ou: - description: The organization unit The organization unit. + description: |- + The organization unit + The organization unit. type: string postalCode: - description: The postal code The postal code. + description: |- + The postal code + The postal code. type: string privateKeyFormat: - description: The private key format The private key format. + description: |- + The private key format + The private key format. type: string privateKeyType: - description: The private key type The private key type. + description: |- + The private key type + The private key type. type: string province: - description: The province The province. + description: |- + The province + The province. type: string streetAddress: - description: The street address The street address. + description: |- + The street address + The street address. type: string type: - description: Type of intermediate to create. Must be either "exported" - or "internal" or "kms" Type of intermediate to create. Must - be either "existing", "exported", "internal" or "kms" + description: |- + Type of intermediate to create. Must be either "exported" or "internal" + or "kms" + Type of intermediate to create. Must be either "existing", "exported", "internal" or "kms" type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array @@ -645,14 +875,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -662,8 +901,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -672,6 +912,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml b/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml index f1601985..04700843 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendintermediatesetsigneds.pki.vault.upbound.io spec: group: pki.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Submit the PKI CA certificate. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,13 +60,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -69,71 +75,378 @@ spec: forProvider: properties: backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object certificate: - description: Specifies the PEM encoded certificate. May optionally - append additional CA certificates to populate the whole chain, - which will then enable returning the full chain from issue and - sign operations. The certificate. + description: |- + Specifies the PEM encoded certificate. May optionally append additional + CA certificates to populate the whole chain, which will then enable returning the full chain from + issue and sign operations. + The certificate. type: string + certificateRef: + description: Reference to a SecretBackendRootSignIntermediate + in pki to populate certificate. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + certificateSelector: + description: Selector for a SecretBackendRootSignIntermediate + in pki to populate certificate. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object certificate: - description: Specifies the PEM encoded certificate. May optionally - append additional CA certificates to populate the whole chain, - which will then enable returning the full chain from issue and - sign operations. The certificate. + description: |- + Specifies the PEM encoded certificate. May optionally append additional + CA certificates to populate the whole chain, which will then enable returning the full chain from + issue and sign operations. + The certificate. type: string + certificateRef: + description: Reference to a SecretBackendRootSignIntermediate + in pki to populate certificate. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + certificateSelector: + description: Selector for a SecretBackendRootSignIntermediate + in pki to populate certificate. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -146,45 +459,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -194,21 +472,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -218,17 +496,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -238,21 +518,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -267,21 +547,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -292,14 +573,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -314,15 +596,6 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: certificate is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.certificate) - || has(self.initProvider.certificate)' status: description: SecretBackendIntermediateSetSignedStatus defines the observed state of SecretBackendIntermediateSetSigned. @@ -330,35 +603,41 @@ spec: atProvider: properties: backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string certificate: - description: Specifies the PEM encoded certificate. May optionally - append additional CA certificates to populate the whole chain, - which will then enable returning the full chain from issue and - sign operations. The certificate. + description: |- + Specifies the PEM encoded certificate. May optionally append additional + CA certificates to populate the whole chain, which will then enable returning the full chain from + issue and sign operations. + The certificate. type: string id: type: string importedIssuers: - description: The imported issuers indicating which issuers were - created as part of this request. The imported issuers. + description: |- + The imported issuers indicating which issuers were created as part of + this request. + The imported issuers. items: type: string type: array importedKeys: - description: The imported keys indicating which keys were created - as part of this request. The imported keys. + description: |- + The imported keys indicating which keys were created as part of this request. + The imported keys. items: type: string type: array namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -367,14 +646,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -384,8 +672,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -394,6 +683,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/pki.vault.upbound.io_secretbackendroles.yaml b/package/crds/pki.vault.upbound.io_secretbackendroles.yaml index da60b776..936d8744 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendroles.pki.vault.upbound.io spec: group: pki.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Create a role on an PKI Secret Backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,531 +74,764 @@ spec: forProvider: properties: allowAnyName: - description: Flag to allow any name Flag to allow any name + description: |- + Flag to allow any name + Flag to allow any name type: boolean allowBareDomains: - description: Flag to allow certificates matching the actual domain + description: |- + Flag to allow certificates matching the actual domain Flag to allow certificates matching the actual domain. type: boolean allowGlobDomains: - description: Flag to allow names containing glob patterns. Flag - to allow names containing glob patterns. + description: |- + Flag to allow names containing glob patterns. + Flag to allow names containing glob patterns. type: boolean allowIpSans: - description: Flag to allow IP SANs Flag to allow IP SANs + description: |- + Flag to allow IP SANs + Flag to allow IP SANs type: boolean allowLocalhost: - description: Flag to allow certificates for localhost Flag to - allow certificates for localhost. + description: |- + Flag to allow certificates for localhost + Flag to allow certificates for localhost. type: boolean allowSubdomains: - description: Flag to allow certificates matching subdomains Flag - to allow certificates matching subdomains. + description: |- + Flag to allow certificates matching subdomains + Flag to allow certificates matching subdomains. type: boolean allowWildcardCertificates: - description: Flag to allow wildcard certificates. Flag to allow - wildcard certificates + description: |- + Flag to allow wildcard certificates. + Flag to allow wildcard certificates type: boolean allowedDomains: - description: List of allowed domains for certificates The domains - of the role. + description: |- + List of allowed domains for certificates + The domains of the role. items: type: string type: array allowedDomainsTemplate: - description: Flag, if set, allowed_domains can be specified using - identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_domains` specifies - a template expression (e.g. {{identity.entity.aliases..name}}) + description: |- + Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases..name}}. + Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases..name}}) type: boolean allowedOtherSans: - description: Defines allowed custom SANs Defines allowed custom - SANs + description: |- + Defines allowed custom SANs + Defines allowed custom SANs items: type: string type: array allowedSerialNumbers: - description: An array of allowed serial numbers to put in Subject + description: |- + An array of allowed serial numbers to put in Subject Defines allowed Subject serial numbers. items: type: string type: array allowedUriSans: - description: Defines allowed URI SANs Defines allowed URI SANs + description: |- + Defines allowed URI SANs + Defines allowed URI SANs items: type: string type: array allowedUriSansTemplate: - description: Flag, if set, allowed_uri_sans can be specified using - identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_uri_sans` specifies - a template expression (e.g. {{identity.entity.aliases..name}}) + description: |- + Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases..name}}. + Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases..name}}) type: boolean allowedUserIds: - description: Defines allowed User IDs The allowed User ID's. + description: |- + Defines allowed User IDs + The allowed User ID's. items: type: string type: array backend: - description: The path the PKI secret backend is mounted at, with - no leading or trailing /s. The path of the PKI secret backend - the resource belongs to. + description: |- + The path the PKI secret backend is mounted at, with no leading or trailing /s. + The path of the PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object basicConstraintsValidForNonCa: - description: Flag to mark basic constraints valid when issuing - non-CA certificates Flag to mark basic constraints valid when - issuing non-CA certificates. + description: |- + Flag to mark basic constraints valid when issuing non-CA certificates + Flag to mark basic constraints valid when issuing non-CA certificates. type: boolean clientFlag: - description: Flag to specify certificates for client use Flag - to specify certificates for client use. + description: |- + Flag to specify certificates for client use + Flag to specify certificates for client use. type: boolean codeSigningFlag: - description: Flag to specify certificates for code signing use + description: |- + Flag to specify certificates for code signing use Flag to specify certificates for code signing use. type: boolean country: - description: The country of generated certificates The country - of generated certificates. + description: |- + The country of generated certificates + The country of generated certificates. items: type: string type: array emailProtectionFlag: - description: Flag to specify certificates for email protection - use Flag to specify certificates for email protection use. + description: |- + Flag to specify certificates for email protection use + Flag to specify certificates for email protection use. type: boolean enforceHostnames: - description: Flag to allow only valid host names Flag to allow - only valid host names + description: |- + Flag to allow only valid host names + Flag to allow only valid host names type: boolean extKeyUsage: - description: Specify the allowed extended key usage constraint - on issued certificates Specify the allowed extended key usage - constraint on issued certificates. + description: |- + Specify the allowed extended key usage constraint on issued certificates + Specify the allowed extended key usage constraint on issued certificates. items: type: string type: array extKeyUsageOids: - description: Specify the allowed extended key usage OIDs constraint - on issued certificates A list of extended key usage OIDs. + description: |- + Specify the allowed extended key usage OIDs constraint on issued certificates + A list of extended key usage OIDs. items: type: string type: array generateLease: - description: Flag to generate leases with certificates Flag to - generate leases with certificates. + description: |- + Flag to generate leases with certificates + Flag to generate leases with certificates. type: boolean issuerRef: - description: Specifies the default issuer of this request. May - be the value default, a name, or an issuer ID. Use ACLs to prevent - access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths - to prevent users overriding the role's issuer_ref value. Specifies - the default issuer of this request. + description: |- + Specifies the default issuer of this request. May + be the value default, a name, or an issuer ID. Use ACLs to prevent access to + the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + overriding the role's issuer_ref value. + Specifies the default issuer of this request. type: string keyBits: - description: The number of bits of generated keys The number of - bits of generated keys. + description: |- + The number of bits of generated keys + The number of bits of generated keys. type: number keyType: - description: 'The generated key type, choices: rsa, ec, ed25519, - any Defaults to rsa The generated key type.' + description: |- + The generated key type, choices: rsa, ec, ed25519, any + Defaults to rsa + The generated key type. type: string keyUsage: - description: Specify the allowed key usage constraint on issued - certificates. Defaults to ["DigitalSignature", "KeyAgreement", - "KeyEncipherment"]). To specify no default key usage constraints, - set this to an empty list []. Specify the allowed key usage - constraint on issued certificates. + description: |- + Specify the allowed key usage constraint on issued + certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). + To specify no default key usage constraints, set this to an empty list []. + Specify the allowed key usage constraint on issued certificates. items: type: string type: array locality: - description: The locality of generated certificates The locality - of generated certificates. + description: |- + The locality of generated certificates + The locality of generated certificates. items: type: string type: array maxTtl: - description: The maximum lease TTL, in seconds, for the role. + description: |- + The maximum lease TTL, in seconds, for the role. The maximum TTL. type: string name: - description: The name to identify this role within the backend. - Must be unique within the backend. Unique name for the role. + description: |- + The name to identify this role within the backend. Must be unique within the backend. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string noStore: - description: Flag to not store certificates in the storage backend + description: |- + Flag to not store certificates in the storage backend Flag to not store certificates in the storage backend. type: boolean notBeforeDuration: - description: Specifies the duration by which to backdate the NotBefore - property. Specifies the duration by which to backdate the NotBefore - property. + description: |- + Specifies the duration by which to backdate the NotBefore property. + Specifies the duration by which to backdate the NotBefore property. type: string organization: - description: The organization of generated certificates The organization - of generated certificates. + description: |- + The organization of generated certificates + The organization of generated certificates. items: type: string type: array ou: - description: The organization unit of generated certificates The - organization unit of generated certificates. + description: |- + The organization unit of generated certificates + The organization unit of generated certificates. items: type: string type: array policyIdentifier: - description: '(Vault 1.11+ only) A block for specifying policy - identifers. The policy_identifier block can be repeated, and - supports the following arguments: Policy identifier block; can - only be used with Vault 1.11+' + description: |- + (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments: + Policy identifier block; can only be used with Vault 1.11+ items: properties: cps: - description: The URL of the CPS for the policy identifier + description: |- + The URL of the CPS for the policy identifier Optional CPS URL type: string notice: - description: A notice for the policy identifier Optional - notice + description: |- + A notice for the policy identifier + Optional notice type: string oid: - description: The OID for the policy identifier OID + description: |- + The OID for the policy identifier + OID type: string type: object type: array policyIdentifiers: - description: Specify the list of allowed policies OIDs. Use with - Vault 1.10 or before. For Vault 1.11+, use policy_identifier - blocks instead Specify the list of allowed policies OIDs. + description: |- + Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead + Specify the list of allowed policies OIDs. items: type: string type: array postalCode: - description: The postal code of generated certificates The postal - code of generated certificates. + description: |- + The postal code of generated certificates + The postal code of generated certificates. items: type: string type: array province: - description: The province of generated certificates The province - of generated certificates. + description: |- + The province of generated certificates + The province of generated certificates. items: type: string type: array requireCn: - description: Flag to force CN usage Flag to force CN usage. + description: |- + Flag to force CN usage + Flag to force CN usage. type: boolean serverFlag: - description: Flag to specify certificates for server use Flag - to specify certificates for server use. + description: |- + Flag to specify certificates for server use + Flag to specify certificates for server use. type: boolean streetAddress: - description: The street address of generated certificates The - street address of generated certificates. + description: |- + The street address of generated certificates + The street address of generated certificates. items: type: string type: array ttl: - description: The TTL, in seconds, for any certificate issued against - this role. The TTL. + description: |- + The TTL, in seconds, for any certificate issued against this role. + The TTL. type: string useCsrCommonName: - description: Flag to use the CN in the CSR Flag to use the CN - in the CSR. + description: |- + Flag to use the CN in the CSR + Flag to use the CN in the CSR. type: boolean useCsrSans: - description: Flag to use the SANs in the CSR Flag to use the SANs - in the CSR. + description: |- + Flag to use the SANs in the CSR + Flag to use the SANs in the CSR. type: boolean type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowAnyName: - description: Flag to allow any name Flag to allow any name + description: |- + Flag to allow any name + Flag to allow any name type: boolean allowBareDomains: - description: Flag to allow certificates matching the actual domain + description: |- + Flag to allow certificates matching the actual domain Flag to allow certificates matching the actual domain. type: boolean allowGlobDomains: - description: Flag to allow names containing glob patterns. Flag - to allow names containing glob patterns. + description: |- + Flag to allow names containing glob patterns. + Flag to allow names containing glob patterns. type: boolean allowIpSans: - description: Flag to allow IP SANs Flag to allow IP SANs + description: |- + Flag to allow IP SANs + Flag to allow IP SANs type: boolean allowLocalhost: - description: Flag to allow certificates for localhost Flag to - allow certificates for localhost. + description: |- + Flag to allow certificates for localhost + Flag to allow certificates for localhost. type: boolean allowSubdomains: - description: Flag to allow certificates matching subdomains Flag - to allow certificates matching subdomains. + description: |- + Flag to allow certificates matching subdomains + Flag to allow certificates matching subdomains. type: boolean allowWildcardCertificates: - description: Flag to allow wildcard certificates. Flag to allow - wildcard certificates + description: |- + Flag to allow wildcard certificates. + Flag to allow wildcard certificates type: boolean allowedDomains: - description: List of allowed domains for certificates The domains - of the role. + description: |- + List of allowed domains for certificates + The domains of the role. items: type: string type: array allowedDomainsTemplate: - description: Flag, if set, allowed_domains can be specified using - identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_domains` specifies - a template expression (e.g. {{identity.entity.aliases..name}}) + description: |- + Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases..name}}. + Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases..name}}) type: boolean allowedOtherSans: - description: Defines allowed custom SANs Defines allowed custom - SANs + description: |- + Defines allowed custom SANs + Defines allowed custom SANs items: type: string type: array allowedSerialNumbers: - description: An array of allowed serial numbers to put in Subject + description: |- + An array of allowed serial numbers to put in Subject Defines allowed Subject serial numbers. items: type: string type: array allowedUriSans: - description: Defines allowed URI SANs Defines allowed URI SANs + description: |- + Defines allowed URI SANs + Defines allowed URI SANs items: type: string type: array allowedUriSansTemplate: - description: Flag, if set, allowed_uri_sans can be specified using - identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_uri_sans` specifies - a template expression (e.g. {{identity.entity.aliases..name}}) + description: |- + Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases..name}}. + Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases..name}}) type: boolean allowedUserIds: - description: Defines allowed User IDs The allowed User ID's. + description: |- + Defines allowed User IDs + The allowed User ID's. items: type: string type: array backend: - description: The path the PKI secret backend is mounted at, with - no leading or trailing /s. The path of the PKI secret backend - the resource belongs to. + description: |- + The path the PKI secret backend is mounted at, with no leading or trailing /s. + The path of the PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object basicConstraintsValidForNonCa: - description: Flag to mark basic constraints valid when issuing - non-CA certificates Flag to mark basic constraints valid when - issuing non-CA certificates. + description: |- + Flag to mark basic constraints valid when issuing non-CA certificates + Flag to mark basic constraints valid when issuing non-CA certificates. type: boolean clientFlag: - description: Flag to specify certificates for client use Flag - to specify certificates for client use. + description: |- + Flag to specify certificates for client use + Flag to specify certificates for client use. type: boolean codeSigningFlag: - description: Flag to specify certificates for code signing use + description: |- + Flag to specify certificates for code signing use Flag to specify certificates for code signing use. type: boolean country: - description: The country of generated certificates The country - of generated certificates. + description: |- + The country of generated certificates + The country of generated certificates. items: type: string type: array emailProtectionFlag: - description: Flag to specify certificates for email protection - use Flag to specify certificates for email protection use. + description: |- + Flag to specify certificates for email protection use + Flag to specify certificates for email protection use. type: boolean enforceHostnames: - description: Flag to allow only valid host names Flag to allow - only valid host names + description: |- + Flag to allow only valid host names + Flag to allow only valid host names type: boolean extKeyUsage: - description: Specify the allowed extended key usage constraint - on issued certificates Specify the allowed extended key usage - constraint on issued certificates. + description: |- + Specify the allowed extended key usage constraint on issued certificates + Specify the allowed extended key usage constraint on issued certificates. items: type: string type: array extKeyUsageOids: - description: Specify the allowed extended key usage OIDs constraint - on issued certificates A list of extended key usage OIDs. + description: |- + Specify the allowed extended key usage OIDs constraint on issued certificates + A list of extended key usage OIDs. items: type: string type: array generateLease: - description: Flag to generate leases with certificates Flag to - generate leases with certificates. + description: |- + Flag to generate leases with certificates + Flag to generate leases with certificates. type: boolean issuerRef: - description: Specifies the default issuer of this request. May - be the value default, a name, or an issuer ID. Use ACLs to prevent - access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths - to prevent users overriding the role's issuer_ref value. Specifies - the default issuer of this request. + description: |- + Specifies the default issuer of this request. May + be the value default, a name, or an issuer ID. Use ACLs to prevent access to + the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + overriding the role's issuer_ref value. + Specifies the default issuer of this request. type: string keyBits: - description: The number of bits of generated keys The number of - bits of generated keys. + description: |- + The number of bits of generated keys + The number of bits of generated keys. type: number keyType: - description: 'The generated key type, choices: rsa, ec, ed25519, - any Defaults to rsa The generated key type.' + description: |- + The generated key type, choices: rsa, ec, ed25519, any + Defaults to rsa + The generated key type. type: string keyUsage: - description: Specify the allowed key usage constraint on issued - certificates. Defaults to ["DigitalSignature", "KeyAgreement", - "KeyEncipherment"]). To specify no default key usage constraints, - set this to an empty list []. Specify the allowed key usage - constraint on issued certificates. + description: |- + Specify the allowed key usage constraint on issued + certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). + To specify no default key usage constraints, set this to an empty list []. + Specify the allowed key usage constraint on issued certificates. items: type: string type: array locality: - description: The locality of generated certificates The locality - of generated certificates. + description: |- + The locality of generated certificates + The locality of generated certificates. items: type: string type: array maxTtl: - description: The maximum lease TTL, in seconds, for the role. + description: |- + The maximum lease TTL, in seconds, for the role. The maximum TTL. type: string name: - description: The name to identify this role within the backend. - Must be unique within the backend. Unique name for the role. + description: |- + The name to identify this role within the backend. Must be unique within the backend. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string noStore: - description: Flag to not store certificates in the storage backend + description: |- + Flag to not store certificates in the storage backend Flag to not store certificates in the storage backend. type: boolean notBeforeDuration: - description: Specifies the duration by which to backdate the NotBefore - property. Specifies the duration by which to backdate the NotBefore - property. + description: |- + Specifies the duration by which to backdate the NotBefore property. + Specifies the duration by which to backdate the NotBefore property. type: string organization: - description: The organization of generated certificates The organization - of generated certificates. + description: |- + The organization of generated certificates + The organization of generated certificates. items: type: string type: array ou: - description: The organization unit of generated certificates The - organization unit of generated certificates. + description: |- + The organization unit of generated certificates + The organization unit of generated certificates. items: type: string type: array policyIdentifier: - description: '(Vault 1.11+ only) A block for specifying policy - identifers. The policy_identifier block can be repeated, and - supports the following arguments: Policy identifier block; can - only be used with Vault 1.11+' + description: |- + (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments: + Policy identifier block; can only be used with Vault 1.11+ items: properties: cps: - description: The URL of the CPS for the policy identifier + description: |- + The URL of the CPS for the policy identifier Optional CPS URL type: string notice: - description: A notice for the policy identifier Optional - notice + description: |- + A notice for the policy identifier + Optional notice type: string oid: - description: The OID for the policy identifier OID + description: |- + The OID for the policy identifier + OID type: string type: object type: array policyIdentifiers: - description: Specify the list of allowed policies OIDs. Use with - Vault 1.10 or before. For Vault 1.11+, use policy_identifier - blocks instead Specify the list of allowed policies OIDs. + description: |- + Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead + Specify the list of allowed policies OIDs. items: type: string type: array postalCode: - description: The postal code of generated certificates The postal - code of generated certificates. + description: |- + The postal code of generated certificates + The postal code of generated certificates. items: type: string type: array province: - description: The province of generated certificates The province - of generated certificates. + description: |- + The province of generated certificates + The province of generated certificates. items: type: string type: array requireCn: - description: Flag to force CN usage Flag to force CN usage. + description: |- + Flag to force CN usage + Flag to force CN usage. type: boolean serverFlag: - description: Flag to specify certificates for server use Flag - to specify certificates for server use. + description: |- + Flag to specify certificates for server use + Flag to specify certificates for server use. type: boolean streetAddress: - description: The street address of generated certificates The - street address of generated certificates. + description: |- + The street address of generated certificates + The street address of generated certificates. items: type: string type: array ttl: - description: The TTL, in seconds, for any certificate issued against - this role. The TTL. + description: |- + The TTL, in seconds, for any certificate issued against this role. + The TTL. type: string useCsrCommonName: - description: Flag to use the CN in the CSR Flag to use the CN - in the CSR. + description: |- + Flag to use the CN in the CSR + Flag to use the CN in the CSR. type: boolean useCsrSans: - description: Flag to use the SANs in the CSR Flag to use the SANs - in the CSR. + description: |- + Flag to use the SANs in the CSR + Flag to use the SANs in the CSR. type: boolean type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -605,9 +844,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -617,57 +857,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -677,17 +881,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -697,21 +903,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -726,21 +932,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -751,14 +958,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -774,267 +982,305 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: SecretBackendRoleStatus defines the observed state of SecretBackendRole. properties: atProvider: properties: allowAnyName: - description: Flag to allow any name Flag to allow any name + description: |- + Flag to allow any name + Flag to allow any name type: boolean allowBareDomains: - description: Flag to allow certificates matching the actual domain + description: |- + Flag to allow certificates matching the actual domain Flag to allow certificates matching the actual domain. type: boolean allowGlobDomains: - description: Flag to allow names containing glob patterns. Flag - to allow names containing glob patterns. + description: |- + Flag to allow names containing glob patterns. + Flag to allow names containing glob patterns. type: boolean allowIpSans: - description: Flag to allow IP SANs Flag to allow IP SANs + description: |- + Flag to allow IP SANs + Flag to allow IP SANs type: boolean allowLocalhost: - description: Flag to allow certificates for localhost Flag to - allow certificates for localhost. + description: |- + Flag to allow certificates for localhost + Flag to allow certificates for localhost. type: boolean allowSubdomains: - description: Flag to allow certificates matching subdomains Flag - to allow certificates matching subdomains. + description: |- + Flag to allow certificates matching subdomains + Flag to allow certificates matching subdomains. type: boolean allowWildcardCertificates: - description: Flag to allow wildcard certificates. Flag to allow - wildcard certificates + description: |- + Flag to allow wildcard certificates. + Flag to allow wildcard certificates type: boolean allowedDomains: - description: List of allowed domains for certificates The domains - of the role. + description: |- + List of allowed domains for certificates + The domains of the role. items: type: string type: array allowedDomainsTemplate: - description: Flag, if set, allowed_domains can be specified using - identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_domains` specifies - a template expression (e.g. {{identity.entity.aliases..name}}) + description: |- + Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases..name}}. + Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases..name}}) type: boolean allowedOtherSans: - description: Defines allowed custom SANs Defines allowed custom - SANs + description: |- + Defines allowed custom SANs + Defines allowed custom SANs items: type: string type: array allowedSerialNumbers: - description: An array of allowed serial numbers to put in Subject + description: |- + An array of allowed serial numbers to put in Subject Defines allowed Subject serial numbers. items: type: string type: array allowedUriSans: - description: Defines allowed URI SANs Defines allowed URI SANs + description: |- + Defines allowed URI SANs + Defines allowed URI SANs items: type: string type: array allowedUriSansTemplate: - description: Flag, if set, allowed_uri_sans can be specified using - identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_uri_sans` specifies - a template expression (e.g. {{identity.entity.aliases..name}}) + description: |- + Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases..name}}. + Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases..name}}) type: boolean allowedUserIds: - description: Defines allowed User IDs The allowed User ID's. + description: |- + Defines allowed User IDs + The allowed User ID's. items: type: string type: array backend: - description: The path the PKI secret backend is mounted at, with - no leading or trailing /s. The path of the PKI secret backend - the resource belongs to. + description: |- + The path the PKI secret backend is mounted at, with no leading or trailing /s. + The path of the PKI secret backend the resource belongs to. type: string basicConstraintsValidForNonCa: - description: Flag to mark basic constraints valid when issuing - non-CA certificates Flag to mark basic constraints valid when - issuing non-CA certificates. + description: |- + Flag to mark basic constraints valid when issuing non-CA certificates + Flag to mark basic constraints valid when issuing non-CA certificates. type: boolean clientFlag: - description: Flag to specify certificates for client use Flag - to specify certificates for client use. + description: |- + Flag to specify certificates for client use + Flag to specify certificates for client use. type: boolean codeSigningFlag: - description: Flag to specify certificates for code signing use + description: |- + Flag to specify certificates for code signing use Flag to specify certificates for code signing use. type: boolean country: - description: The country of generated certificates The country - of generated certificates. + description: |- + The country of generated certificates + The country of generated certificates. items: type: string type: array emailProtectionFlag: - description: Flag to specify certificates for email protection - use Flag to specify certificates for email protection use. + description: |- + Flag to specify certificates for email protection use + Flag to specify certificates for email protection use. type: boolean enforceHostnames: - description: Flag to allow only valid host names Flag to allow - only valid host names + description: |- + Flag to allow only valid host names + Flag to allow only valid host names type: boolean extKeyUsage: - description: Specify the allowed extended key usage constraint - on issued certificates Specify the allowed extended key usage - constraint on issued certificates. + description: |- + Specify the allowed extended key usage constraint on issued certificates + Specify the allowed extended key usage constraint on issued certificates. items: type: string type: array extKeyUsageOids: - description: Specify the allowed extended key usage OIDs constraint - on issued certificates A list of extended key usage OIDs. + description: |- + Specify the allowed extended key usage OIDs constraint on issued certificates + A list of extended key usage OIDs. items: type: string type: array generateLease: - description: Flag to generate leases with certificates Flag to - generate leases with certificates. + description: |- + Flag to generate leases with certificates + Flag to generate leases with certificates. type: boolean id: type: string issuerRef: - description: Specifies the default issuer of this request. May - be the value default, a name, or an issuer ID. Use ACLs to prevent - access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths - to prevent users overriding the role's issuer_ref value. Specifies - the default issuer of this request. + description: |- + Specifies the default issuer of this request. May + be the value default, a name, or an issuer ID. Use ACLs to prevent access to + the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + overriding the role's issuer_ref value. + Specifies the default issuer of this request. type: string keyBits: - description: The number of bits of generated keys The number of - bits of generated keys. + description: |- + The number of bits of generated keys + The number of bits of generated keys. type: number keyType: - description: 'The generated key type, choices: rsa, ec, ed25519, - any Defaults to rsa The generated key type.' + description: |- + The generated key type, choices: rsa, ec, ed25519, any + Defaults to rsa + The generated key type. type: string keyUsage: - description: Specify the allowed key usage constraint on issued - certificates. Defaults to ["DigitalSignature", "KeyAgreement", - "KeyEncipherment"]). To specify no default key usage constraints, - set this to an empty list []. Specify the allowed key usage - constraint on issued certificates. + description: |- + Specify the allowed key usage constraint on issued + certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). + To specify no default key usage constraints, set this to an empty list []. + Specify the allowed key usage constraint on issued certificates. items: type: string type: array locality: - description: The locality of generated certificates The locality - of generated certificates. + description: |- + The locality of generated certificates + The locality of generated certificates. items: type: string type: array maxTtl: - description: The maximum lease TTL, in seconds, for the role. + description: |- + The maximum lease TTL, in seconds, for the role. The maximum TTL. type: string name: - description: The name to identify this role within the backend. - Must be unique within the backend. Unique name for the role. + description: |- + The name to identify this role within the backend. Must be unique within the backend. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string noStore: - description: Flag to not store certificates in the storage backend + description: |- + Flag to not store certificates in the storage backend Flag to not store certificates in the storage backend. type: boolean notBeforeDuration: - description: Specifies the duration by which to backdate the NotBefore - property. Specifies the duration by which to backdate the NotBefore - property. + description: |- + Specifies the duration by which to backdate the NotBefore property. + Specifies the duration by which to backdate the NotBefore property. type: string organization: - description: The organization of generated certificates The organization - of generated certificates. + description: |- + The organization of generated certificates + The organization of generated certificates. items: type: string type: array ou: - description: The organization unit of generated certificates The - organization unit of generated certificates. + description: |- + The organization unit of generated certificates + The organization unit of generated certificates. items: type: string type: array policyIdentifier: - description: '(Vault 1.11+ only) A block for specifying policy - identifers. The policy_identifier block can be repeated, and - supports the following arguments: Policy identifier block; can - only be used with Vault 1.11+' + description: |- + (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments: + Policy identifier block; can only be used with Vault 1.11+ items: properties: cps: - description: The URL of the CPS for the policy identifier + description: |- + The URL of the CPS for the policy identifier Optional CPS URL type: string notice: - description: A notice for the policy identifier Optional - notice + description: |- + A notice for the policy identifier + Optional notice type: string oid: - description: The OID for the policy identifier OID + description: |- + The OID for the policy identifier + OID type: string type: object type: array policyIdentifiers: - description: Specify the list of allowed policies OIDs. Use with - Vault 1.10 or before. For Vault 1.11+, use policy_identifier - blocks instead Specify the list of allowed policies OIDs. + description: |- + Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead + Specify the list of allowed policies OIDs. items: type: string type: array postalCode: - description: The postal code of generated certificates The postal - code of generated certificates. + description: |- + The postal code of generated certificates + The postal code of generated certificates. items: type: string type: array province: - description: The province of generated certificates The province - of generated certificates. + description: |- + The province of generated certificates + The province of generated certificates. items: type: string type: array requireCn: - description: Flag to force CN usage Flag to force CN usage. + description: |- + Flag to force CN usage + Flag to force CN usage. type: boolean serverFlag: - description: Flag to specify certificates for server use Flag - to specify certificates for server use. + description: |- + Flag to specify certificates for server use + Flag to specify certificates for server use. type: boolean streetAddress: - description: The street address of generated certificates The - street address of generated certificates. + description: |- + The street address of generated certificates + The street address of generated certificates. items: type: string type: array ttl: - description: The TTL, in seconds, for any certificate issued against - this role. The TTL. + description: |- + The TTL, in seconds, for any certificate issued against this role. + The TTL. type: string useCsrCommonName: - description: Flag to use the CN in the CSR Flag to use the CN - in the CSR. + description: |- + Flag to use the CN in the CSR + Flag to use the CN in the CSR. type: boolean useCsrSans: - description: Flag to use the SANs in the CSR Flag to use the SANs - in the CSR. + description: |- + Flag to use the SANs in the CSR + Flag to use the SANs in the CSR. type: boolean type: object conditions: @@ -1043,14 +1289,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -1060,8 +1315,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -1070,6 +1326,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml b/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml index 2782170f..30c99e04 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendrootcerts.pki.vault.upbound.io spec: group: pki.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Generate root. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,258 +74,482 @@ spec: forProvider: properties: altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object commonName: - description: CN of intermediate to create CN of root to create. + description: |- + CN of intermediate to create + CN of root to create. type: string country: - description: The country The country. + description: |- + The country + The country. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array issuerName: - description: Provides a name to the specified issuer. The name - must be unique across all issuers and not be the reserved value - default Provides a name to the specified issuer. The name must - be unique across all issuers and not be the reserved value 'default'. + description: |- + Provides a name to the specified issuer. The name must be unique + across all issuers and not be the reserved value default + Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'. type: string keyBits: - description: The number of bits to use The number of bits to use. + description: |- + The number of bits to use + The number of bits to use. type: number keyName: - description: When a new key is created with this request, optionally - specifies the name for this. The global ref default may not - be used as a name. When a new key is created with this request, - optionally specifies the name for this. + description: |- + When a new key is created with this request, optionally specifies + the name for this. The global ref default may not be used as a name. + When a new key is created with this request, optionally specifies the name for this. type: string keyRef: - description: Specifies the key (either default, by name, or by - identifier) to use for generating this request. Only suitable - for type=existing requests. Specifies the key to use for generating - this request. + description: |- + Specifies the key (either default, by name, or by identifier) to use + for generating this request. Only suitable for type=existing requests. + Specifies the key to use for generating this request. type: string keyType: - description: The desired key type The desired key type. + description: |- + The desired key type + The desired key type. type: string locality: - description: The locality The locality. + description: |- + The locality + The locality. type: string managedKeyId: - description: The ID of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_name The ID of the previously configured managed - key. + description: |- + The ID of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_name + The ID of the previously configured managed key. type: string managedKeyName: - description: The name of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_id The name of the previously configured managed - key. + description: |- + The name of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_id + The name of the previously configured managed key. type: string maxPathLength: - description: The maximum path length to encode in the generated - certificate The maximum path length to encode in the generated - certificate. + description: |- + The maximum path length to encode in the generated certificate + The maximum path length to encode in the generated certificate. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: The organization The organization. + description: |- + The organization + The organization. type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array ou: - description: The organization unit The organization unit. + description: |- + The organization unit + The organization unit. type: string permittedDnsDomains: - description: List of domains for which certificates are allowed - to be issued List of domains for which certificates are allowed - to be issued. + description: |- + List of domains for which certificates are allowed to be issued + List of domains for which certificates are allowed to be issued. items: type: string type: array postalCode: - description: The postal code The postal code. + description: |- + The postal code + The postal code. type: string privateKeyFormat: - description: The private key format The private key format. + description: |- + The private key format + The private key format. type: string province: - description: The province The province. + description: |- + The province + The province. type: string streetAddress: - description: The street address The street address. + description: |- + The street address + The street address. type: string ttl: - description: Time to live Time to live. + description: |- + Time to live + Time to live. type: string type: - description: Type of intermediate to create. Must be either "exported", - "internal" or "kms" Type of root to create. Must be either "existing", - "exported", "internal" or "kms" + description: |- + Type of intermediate to create. Must be either "exported", "internal" + or "kms" + Type of root to create. Must be either "existing", "exported", "internal" or "kms" type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object commonName: - description: CN of intermediate to create CN of root to create. + description: |- + CN of intermediate to create + CN of root to create. type: string country: - description: The country The country. + description: |- + The country + The country. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array issuerName: - description: Provides a name to the specified issuer. The name - must be unique across all issuers and not be the reserved value - default Provides a name to the specified issuer. The name must - be unique across all issuers and not be the reserved value 'default'. + description: |- + Provides a name to the specified issuer. The name must be unique + across all issuers and not be the reserved value default + Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'. type: string keyBits: - description: The number of bits to use The number of bits to use. + description: |- + The number of bits to use + The number of bits to use. type: number keyName: - description: When a new key is created with this request, optionally - specifies the name for this. The global ref default may not - be used as a name. When a new key is created with this request, - optionally specifies the name for this. + description: |- + When a new key is created with this request, optionally specifies + the name for this. The global ref default may not be used as a name. + When a new key is created with this request, optionally specifies the name for this. type: string keyRef: - description: Specifies the key (either default, by name, or by - identifier) to use for generating this request. Only suitable - for type=existing requests. Specifies the key to use for generating - this request. + description: |- + Specifies the key (either default, by name, or by identifier) to use + for generating this request. Only suitable for type=existing requests. + Specifies the key to use for generating this request. type: string keyType: - description: The desired key type The desired key type. + description: |- + The desired key type + The desired key type. type: string locality: - description: The locality The locality. + description: |- + The locality + The locality. type: string managedKeyId: - description: The ID of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_name The ID of the previously configured managed - key. + description: |- + The ID of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_name + The ID of the previously configured managed key. type: string managedKeyName: - description: The name of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_id The name of the previously configured managed - key. + description: |- + The name of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_id + The name of the previously configured managed key. type: string maxPathLength: - description: The maximum path length to encode in the generated - certificate The maximum path length to encode in the generated - certificate. + description: |- + The maximum path length to encode in the generated certificate + The maximum path length to encode in the generated certificate. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: The organization The organization. + description: |- + The organization + The organization. type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array ou: - description: The organization unit The organization unit. + description: |- + The organization unit + The organization unit. type: string permittedDnsDomains: - description: List of domains for which certificates are allowed - to be issued List of domains for which certificates are allowed - to be issued. + description: |- + List of domains for which certificates are allowed to be issued + List of domains for which certificates are allowed to be issued. items: type: string type: array postalCode: - description: The postal code The postal code. + description: |- + The postal code + The postal code. type: string privateKeyFormat: - description: The private key format The private key format. + description: |- + The private key format + The private key format. type: string province: - description: The province The province. + description: |- + The province + The province. type: string streetAddress: - description: The street address The street address. + description: |- + The street address + The street address. type: string ttl: - description: Time to live Time to live. + description: |- + Time to live + Time to live. type: string type: - description: Type of intermediate to create. Must be either "exported", - "internal" or "kms" Type of root to create. Must be either "existing", - "exported", "internal" or "kms" + description: |- + Type of intermediate to create. Must be either "exported", "internal" + or "kms" + Type of root to create. Must be either "existing", "exported", "internal" or "kms" type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array @@ -327,20 +557,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -353,45 +584,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -401,21 +597,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -425,17 +621,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -445,21 +643,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -474,21 +672,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -499,14 +698,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -522,18 +722,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: commonName is a required parameter + - message: spec.forProvider.commonName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.commonName) - || has(self.initProvider.commonName)' - - message: type is a required parameter + || (has(self.initProvider) && has(self.initProvider.commonName))' + - message: spec.forProvider.type is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.type) - || has(self.initProvider.type)' + || (has(self.initProvider) && has(self.initProvider.type))' status: description: SecretBackendRootCertStatus defines the observed state of SecretBackendRootCert. @@ -541,147 +737,188 @@ spec: atProvider: properties: altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string certificate: - description: The certificate. The certificate. + description: |- + The certificate. + The certificate. type: string commonName: - description: CN of intermediate to create CN of root to create. + description: |- + CN of intermediate to create + CN of root to create. type: string country: - description: The country The country. + description: |- + The country + The country. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string id: type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array issuerId: - description: The ID of the generated issuer. The ID of the generated - issuer. + description: |- + The ID of the generated issuer. + The ID of the generated issuer. type: string issuerName: - description: Provides a name to the specified issuer. The name - must be unique across all issuers and not be the reserved value - default Provides a name to the specified issuer. The name must - be unique across all issuers and not be the reserved value 'default'. + description: |- + Provides a name to the specified issuer. The name must be unique + across all issuers and not be the reserved value default + Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'. type: string issuingCa: - description: The issuing CA certificate. The issuing CA. + description: |- + The issuing CA certificate. + The issuing CA. type: string keyBits: - description: The number of bits to use The number of bits to use. + description: |- + The number of bits to use + The number of bits to use. type: number keyId: - description: The ID of the generated key. The ID of the generated - key. + description: |- + The ID of the generated key. + The ID of the generated key. type: string keyName: - description: When a new key is created with this request, optionally - specifies the name for this. The global ref default may not - be used as a name. When a new key is created with this request, - optionally specifies the name for this. + description: |- + When a new key is created with this request, optionally specifies + the name for this. The global ref default may not be used as a name. + When a new key is created with this request, optionally specifies the name for this. type: string keyRef: - description: Specifies the key (either default, by name, or by - identifier) to use for generating this request. Only suitable - for type=existing requests. Specifies the key to use for generating - this request. + description: |- + Specifies the key (either default, by name, or by identifier) to use + for generating this request. Only suitable for type=existing requests. + Specifies the key to use for generating this request. type: string keyType: - description: The desired key type The desired key type. + description: |- + The desired key type + The desired key type. type: string locality: - description: The locality The locality. + description: |- + The locality + The locality. type: string managedKeyId: - description: The ID of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_name The ID of the previously configured managed - key. + description: |- + The ID of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_name + The ID of the previously configured managed key. type: string managedKeyName: - description: The name of the previously configured managed key. - This field is required if type is kms and it conflicts with - managed_key_id The name of the previously configured managed - key. + description: |- + The name of the previously configured managed key. This field is + required if type is kms and it conflicts with managed_key_id + The name of the previously configured managed key. type: string maxPathLength: - description: The maximum path length to encode in the generated - certificate The maximum path length to encode in the generated - certificate. + description: |- + The maximum path length to encode in the generated certificate + The maximum path length to encode in the generated certificate. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: The organization The organization. + description: |- + The organization + The organization. type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array ou: - description: The organization unit The organization unit. + description: |- + The organization unit + The organization unit. type: string permittedDnsDomains: - description: List of domains for which certificates are allowed - to be issued List of domains for which certificates are allowed - to be issued. + description: |- + List of domains for which certificates are allowed to be issued + List of domains for which certificates are allowed to be issued. items: type: string type: array postalCode: - description: The postal code The postal code. + description: |- + The postal code + The postal code. type: string privateKeyFormat: - description: The private key format The private key format. + description: |- + The private key format + The private key format. type: string province: - description: The province The province. - type: string - serial: - description: Deprecated, use serial_number instead. The serial - number. + description: |- + The province + The province. type: string serialNumber: - description: The certificate's serial number, hex formatted. The - certificate's serial number, hex formatted. + description: |- + The certificate's serial number, hex formatted. + The certificate's serial number, hex formatted. type: string streetAddress: - description: The street address The street address. + description: |- + The street address + The street address. type: string ttl: - description: Time to live Time to live. + description: |- + Time to live + Time to live. type: string type: - description: Type of intermediate to create. Must be either "exported", - "internal" or "kms" Type of root to create. Must be either "existing", - "exported", "internal" or "kms" + description: |- + Type of intermediate to create. Must be either "exported", "internal" + or "kms" + Type of root to create. Must be either "existing", "exported", "internal" or "kms" type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array @@ -692,14 +929,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -709,8 +955,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -719,6 +966,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml b/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml index 7c6ca8a4..9e672729 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendrootsignintermediates.pki.vault.upbound.io spec: group: pki.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -55,13 +60,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -151,17 +157,17 @@ spec: type: boolean type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: altNames: description: List of alternative names. @@ -248,20 +254,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -274,9 +281,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -286,57 +294,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -346,17 +318,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -366,21 +340,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -395,21 +369,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -420,14 +395,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -443,18 +419,18 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter + - message: spec.forProvider.backend is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: commonName is a required parameter + || (has(self.initProvider) && has(self.initProvider.backend))' + - message: spec.forProvider.commonName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.commonName) - || has(self.initProvider.commonName)' - - message: csr is a required parameter + || (has(self.initProvider) && has(self.initProvider.commonName))' + - message: spec.forProvider.csr is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.csr) - || has(self.initProvider.csr)' + || (has(self.initProvider) && has(self.initProvider.csr))' status: description: SecretBackendRootSignIntermediateStatus defines the observed state of SecretBackendRootSignIntermediate. @@ -547,9 +523,6 @@ spec: revoke: description: Revoke the certificate upon resource destruction. type: boolean - serial: - description: The serial number. - type: string serialNumber: description: The certificate's serial number, hex formatted. type: string @@ -574,14 +547,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -591,8 +573,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -601,6 +584,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml b/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml index 60fe6a69..4b65b162 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendsigns.pki.vault.upbound.io spec: group: pki.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Sign a new certificate based on the CSR by the PKI. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,158 +74,494 @@ spec: forProvider: properties: altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array autoRenew: - description: If set to true, certs will be renewed if the expiration - is within min_seconds_remaining. Default false If enabled, a - new certificate will be generated if the expiration is within - min_seconds_remaining + description: |- + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false + If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining type: boolean backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object commonName: - description: CN of certificate to create CN of intermediate to - create. + description: |- + CN of certificate to create + CN of intermediate to create. type: string csr: - description: The CSR The CSR. + description: |- + The CSR + The CSR. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array issuerRef: - description: Specifies the default issuer of this request. Can - be the value default, a name, or an issuer ID. Use ACLs to prevent - access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths - to prevent users overriding the role's issuer_ref value. Specifies - the default issuer of this request. + description: |- + Specifies the default issuer of this request. Can + be the value default, a name, or an issuer ID. Use ACLs to prevent access to + the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + overriding the role's issuer_ref value. + Specifies the default issuer of this request. type: string minSecondsRemaining: - description: Generate a new certificate when the expiration is - within this number of seconds, default is 604800 (7 days) Generate - a new certificate when the expiration is within this number - of seconds + description: |- + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) + Generate a new certificate when the expiration is within this number of seconds type: number name: - description: Name of the role to create the certificate against + description: |- + Name of the role to create the certificate against Name of the role to create the certificate against. type: string + nameRef: + description: Reference to a SecretBackendRole in pki to populate + name. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + nameSelector: + description: Selector for a SecretBackendRole in pki to populate + name. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array ttl: - description: Time to live Time to live. + description: |- + Time to live + Time to live. type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array autoRenew: - description: If set to true, certs will be renewed if the expiration - is within min_seconds_remaining. Default false If enabled, a - new certificate will be generated if the expiration is within - min_seconds_remaining + description: |- + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false + If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining type: boolean backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object commonName: - description: CN of certificate to create CN of intermediate to - create. + description: |- + CN of certificate to create + CN of intermediate to create. type: string csr: - description: The CSR The CSR. + description: |- + The CSR + The CSR. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array issuerRef: - description: Specifies the default issuer of this request. Can - be the value default, a name, or an issuer ID. Use ACLs to prevent - access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths - to prevent users overriding the role's issuer_ref value. Specifies - the default issuer of this request. + description: |- + Specifies the default issuer of this request. Can + be the value default, a name, or an issuer ID. Use ACLs to prevent access to + the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + overriding the role's issuer_ref value. + Specifies the default issuer of this request. type: string minSecondsRemaining: - description: Generate a new certificate when the expiration is - within this number of seconds, default is 604800 (7 days) Generate - a new certificate when the expiration is within this number - of seconds + description: |- + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) + Generate a new certificate when the expiration is within this number of seconds type: number name: - description: Name of the role to create the certificate against + description: |- + Name of the role to create the certificate against Name of the role to create the certificate against. type: string + nameRef: + description: Reference to a SecretBackendRole in pki to populate + name. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + nameSelector: + description: Selector for a SecretBackendRole in pki to populate + name. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array ttl: - description: Time to live Time to live. + description: |- + Time to live + Time to live. type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array @@ -227,20 +569,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -253,45 +596,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -301,21 +609,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -325,17 +633,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -345,21 +655,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -374,21 +684,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -399,14 +710,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -422,127 +734,139 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: commonName is a required parameter + - message: spec.forProvider.commonName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.commonName) - || has(self.initProvider.commonName)' - - message: csr is a required parameter + || (has(self.initProvider) && has(self.initProvider.commonName))' + - message: spec.forProvider.csr is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.csr) - || has(self.initProvider.csr)' - - message: name is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.csr))' status: description: SecretBackendSignStatus defines the observed state of SecretBackendSign. properties: atProvider: properties: altNames: - description: List of alternative names List of alternative names. + description: |- + List of alternative names + List of alternative names. items: type: string type: array autoRenew: - description: If set to true, certs will be renewed if the expiration - is within min_seconds_remaining. Default false If enabled, a - new certificate will be generated if the expiration is within - min_seconds_remaining + description: |- + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false + If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining type: boolean backend: - description: The PKI secret backend the resource belongs to. The - PKI secret backend the resource belongs to. + description: |- + The PKI secret backend the resource belongs to. + The PKI secret backend the resource belongs to. type: string caChain: - description: The CA chain The CA chain. + description: |- + The CA chain + The CA chain. items: type: string type: array certificate: - description: The certificate The certicate. + description: |- + The certificate + The certicate. type: string commonName: - description: CN of certificate to create CN of intermediate to - create. + description: |- + CN of certificate to create + CN of intermediate to create. type: string csr: - description: The CSR The CSR. + description: |- + The CSR + The CSR. type: string excludeCnFromSans: - description: Flag to exclude CN from SANs Flag to exclude CN from - SANs. + description: |- + Flag to exclude CN from SANs + Flag to exclude CN from SANs. type: boolean expiration: - description: The expiration date of the certificate in unix epoch - format The certificate expiration as a Unix-style timestamp. + description: |- + The expiration date of the certificate in unix epoch format + The certificate expiration as a Unix-style timestamp. type: number format: - description: The format of data The format of data. + description: |- + The format of data + The format of data. type: string id: type: string ipSans: - description: List of alternative IPs List of alternative IPs. + description: |- + List of alternative IPs + List of alternative IPs. items: type: string type: array issuerRef: - description: Specifies the default issuer of this request. Can - be the value default, a name, or an issuer ID. Use ACLs to prevent - access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths - to prevent users overriding the role's issuer_ref value. Specifies - the default issuer of this request. + description: |- + Specifies the default issuer of this request. Can + be the value default, a name, or an issuer ID. Use ACLs to prevent access to + the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + overriding the role's issuer_ref value. + Specifies the default issuer of this request. type: string issuingCa: - description: The issuing CA The issuing CA. + description: |- + The issuing CA + The issuing CA. type: string minSecondsRemaining: - description: Generate a new certificate when the expiration is - within this number of seconds, default is 604800 (7 days) Generate - a new certificate when the expiration is within this number - of seconds + description: |- + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) + Generate a new certificate when the expiration is within this number of seconds type: number name: - description: Name of the role to create the certificate against + description: |- + Name of the role to create the certificate against Name of the role to create the certificate against. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string otherSans: - description: List of other SANs List of other SANs. + description: |- + List of other SANs + List of other SANs. items: type: string type: array renewPending: - description: true if the current time (during refresh) is after - the start of the early renewal window declared by min_seconds_remaining, - and false otherwise; if auto_renew is set to true then the provider - will plan to replace the certificate once renewal is pending. - Initially false, and then set to true during refresh once the - expiration is less than min_seconds_remaining in the future. + description: |- + true if the current time (during refresh) is after the start of the early renewal window declared by min_seconds_remaining, and false otherwise; if auto_renew is set to true then the provider will plan to replace the certificate once renewal is pending. + Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future. type: boolean - serial: - description: Use serial_number instead. The serial number. - type: string serialNumber: - description: The certificate's serial number, hex formatted. The - certificate's serial number, hex formatted. + description: |- + The certificate's serial number, hex formatted. + The certificate's serial number, hex formatted. type: string ttl: - description: Time to live Time to live. + description: |- + Time to live + Time to live. type: string uriSans: - description: List of alternative URIs List of alternative URIs. + description: |- + List of alternative URIs + List of alternative URIs. items: type: string type: array @@ -553,14 +877,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -570,8 +903,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -580,6 +914,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/quota.vault.upbound.io_leasecounts.yaml b/package/crds/quota.vault.upbound.io_leasecounts.yaml index bf7615e2..9712d8d7 100644 --- a/package/crds/quota.vault.upbound.io_leasecounts.yaml +++ b/package/crds/quota.vault.upbound.io_leasecounts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: leasecounts.quota.vault.upbound.io spec: group: quota.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Count Quota properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,125 +59,131 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete type: string forProvider: properties: + inheritable: + description: |- + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + type: boolean maxLeases: - description: The maximum number of leases to be allowed by the - quota rule. The max_leases must be positive. The maximum number - of leases to be allowed by the quota rule. The max_leases must - be positive. + description: |- + The maximum number of leases to be allowed by the quota + rule. The max_leases must be positive. + The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. type: number name: - description: Name of the rate limit quota The name of the quota. + description: |- + Name of the rate limit quota + The name of the quota. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path of the mount or namespace to apply the quota. - A blank path configures a global rate limit quota. For example - namespace1/ adds a quota to a full namespace, namespace1/auth/userpass - adds a quota to userpass in namespace1. Updating this field - on an existing quota can have "moving" effects. For example, - updating auth/userpass to namespace1/auth/userpass moves this - quota from being a global mount quota to a namespace specific - mount quota. Note, namespaces are supported in Enterprise only. - Path of the mount or namespace to apply the quota. A blank path - configures a global lease count quota. + description: |- + Path of the mount or namespace to apply the quota. A blank path configures a + global rate limit quota. For example namespace1/ adds a quota to a full namespace, + namespace1/auth/userpass adds a quota to userpass in namespace1. + Updating this field on an existing quota can have "moving" effects. For example, updating + auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to + a namespace specific mount quota. Note, namespaces are supported in Enterprise only. + Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. type: string role: - description: If set on a quota where path is set to an auth mount - with a concept of roles (such as /auth/approle/), this will - make the quota restrict login requests to that mount that are - made with the specified role. If set on a quota where path is - set to an auth mount with a concept of roles (such as /auth/approle/), - this will make the quota restrict login requests to that mount - that are made with the specified role. + description: |- + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: + inheritable: + description: |- + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + type: boolean maxLeases: - description: The maximum number of leases to be allowed by the - quota rule. The max_leases must be positive. The maximum number - of leases to be allowed by the quota rule. The max_leases must - be positive. + description: |- + The maximum number of leases to be allowed by the quota + rule. The max_leases must be positive. + The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. type: number name: - description: Name of the rate limit quota The name of the quota. + description: |- + Name of the rate limit quota + The name of the quota. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path of the mount or namespace to apply the quota. - A blank path configures a global rate limit quota. For example - namespace1/ adds a quota to a full namespace, namespace1/auth/userpass - adds a quota to userpass in namespace1. Updating this field - on an existing quota can have "moving" effects. For example, - updating auth/userpass to namespace1/auth/userpass moves this - quota from being a global mount quota to a namespace specific - mount quota. Note, namespaces are supported in Enterprise only. - Path of the mount or namespace to apply the quota. A blank path - configures a global lease count quota. + description: |- + Path of the mount or namespace to apply the quota. A blank path configures a + global rate limit quota. For example namespace1/ adds a quota to a full namespace, + namespace1/auth/userpass adds a quota to userpass in namespace1. + Updating this field on an existing quota can have "moving" effects. For example, updating + auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to + a namespace specific mount quota. Note, namespaces are supported in Enterprise only. + Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. type: string role: - description: If set on a quota where path is set to an auth mount - with a concept of roles (such as /auth/approle/), this will - make the quota restrict login requests to that mount that are - made with the specified role. If set on a quota where path is - set to an auth mount with a concept of roles (such as /auth/approle/), - this will make the quota restrict login requests to that mount - that are made with the specified role. + description: |- + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -185,45 +196,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -233,21 +209,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -257,17 +233,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -277,21 +255,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -306,21 +284,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -331,14 +310,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -354,14 +334,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: maxLeases is a required parameter + - message: spec.forProvider.maxLeases is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.maxLeases) - || has(self.initProvider.maxLeases)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.maxLeases))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: LeaseCountStatus defines the observed state of LeaseCount. properties: @@ -369,42 +349,44 @@ spec: properties: id: type: string + inheritable: + description: |- + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + type: boolean maxLeases: - description: The maximum number of leases to be allowed by the - quota rule. The max_leases must be positive. The maximum number - of leases to be allowed by the quota rule. The max_leases must - be positive. + description: |- + The maximum number of leases to be allowed by the quota + rule. The max_leases must be positive. + The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. type: number name: - description: Name of the rate limit quota The name of the quota. + description: |- + Name of the rate limit quota + The name of the quota. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path of the mount or namespace to apply the quota. - A blank path configures a global rate limit quota. For example - namespace1/ adds a quota to a full namespace, namespace1/auth/userpass - adds a quota to userpass in namespace1. Updating this field - on an existing quota can have "moving" effects. For example, - updating auth/userpass to namespace1/auth/userpass moves this - quota from being a global mount quota to a namespace specific - mount quota. Note, namespaces are supported in Enterprise only. - Path of the mount or namespace to apply the quota. A blank path - configures a global lease count quota. + description: |- + Path of the mount or namespace to apply the quota. A blank path configures a + global rate limit quota. For example namespace1/ adds a quota to a full namespace, + namespace1/auth/userpass adds a quota to userpass in namespace1. + Updating this field on an existing quota can have "moving" effects. For example, updating + auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to + a namespace specific mount quota. Note, namespaces are supported in Enterprise only. + Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. type: string role: - description: If set on a quota where path is set to an auth mount - with a concept of roles (such as /auth/approle/), this will - make the quota restrict login requests to that mount that are - made with the specified role. If set on a quota where path is - set to an auth mount with a concept of roles (such as /auth/approle/), - this will make the quota restrict login requests to that mount - that are made with the specified role. + description: |- + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. type: string type: object conditions: @@ -413,14 +395,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -430,8 +421,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -440,6 +432,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/quota.vault.upbound.io_ratelimits.yaml b/package/crds/quota.vault.upbound.io_ratelimits.yaml index c6d36a02..41de6961 100644 --- a/package/crds/quota.vault.upbound.io_ratelimits.yaml +++ b/package/crds/quota.vault.upbound.io_ratelimits.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: ratelimits.quota.vault.upbound.io spec: group: quota.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Quota properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,135 +74,138 @@ spec: forProvider: properties: blockInterval: - description: If set, when a client reaches a rate limit threshold, - the client will be prohibited from any further requests until - after the 'block_interval' in seconds has elapsed. If set, when - a client reaches a rate limit threshold, the client will be - prohibited from any further requests until after the 'block_interval' - in seconds has elapsed. + description: |- + If set, when a client reaches a rate limit threshold, the client will + be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. + If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. type: number + inheritable: + description: |- + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + type: boolean interval: - description: The duration in seconds to enforce rate limiting - for. The duration in seconds to enforce rate limiting for. + description: |- + The duration in seconds to enforce rate limiting for. + The duration in seconds to enforce rate limiting for. type: number name: - description: Name of the rate limit quota The name of the quota. + description: |- + Name of the rate limit quota + The name of the quota. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path of the mount or namespace to apply the quota. - A blank path configures a global rate limit quota. For example - namespace1/ adds a quota to a full namespace, namespace1/auth/userpass - adds a quota to userpass in namespace1. Updating this field - on an existing quota can have "moving" effects. For example, - updating auth/userpass to namespace1/auth/userpass moves this - quota from being a global mount quota to a namespace specific - mount quota. Note, namespaces are supported in Enterprise only. - Path of the mount or namespace to apply the quota. A blank path - configures a global rate limit quota. + description: |- + Path of the mount or namespace to apply the quota. A blank path configures a + global rate limit quota. For example namespace1/ adds a quota to a full namespace, + namespace1/auth/userpass adds a quota to userpass in namespace1. + Updating this field on an existing quota can have "moving" effects. For example, updating + auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to + a namespace specific mount quota. Note, namespaces are supported in Enterprise only. + Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. type: string rate: - description: The maximum number of requests at any given second - to be allowed by the quota rule. The rate must be positive. - The maximum number of requests at any given second to be allowed - by the quota rule. The rate must be positive. + description: |- + The maximum number of requests at any given second to be allowed by the quota + rule. The rate must be positive. + The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. type: number role: - description: If set on a quota where path is set to an auth mount - with a concept of roles (such as /auth/approle/), this will - make the quota restrict login requests to that mount that are - made with the specified role. If set on a quota where path is - set to an auth mount with a concept of roles (such as /auth/approle/), - this will make the quota restrict login requests to that mount - that are made with the specified role. + description: |- + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: blockInterval: - description: If set, when a client reaches a rate limit threshold, - the client will be prohibited from any further requests until - after the 'block_interval' in seconds has elapsed. If set, when - a client reaches a rate limit threshold, the client will be - prohibited from any further requests until after the 'block_interval' - in seconds has elapsed. + description: |- + If set, when a client reaches a rate limit threshold, the client will + be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. + If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. type: number + inheritable: + description: |- + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + type: boolean interval: - description: The duration in seconds to enforce rate limiting - for. The duration in seconds to enforce rate limiting for. + description: |- + The duration in seconds to enforce rate limiting for. + The duration in seconds to enforce rate limiting for. type: number name: - description: Name of the rate limit quota The name of the quota. + description: |- + Name of the rate limit quota + The name of the quota. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path of the mount or namespace to apply the quota. - A blank path configures a global rate limit quota. For example - namespace1/ adds a quota to a full namespace, namespace1/auth/userpass - adds a quota to userpass in namespace1. Updating this field - on an existing quota can have "moving" effects. For example, - updating auth/userpass to namespace1/auth/userpass moves this - quota from being a global mount quota to a namespace specific - mount quota. Note, namespaces are supported in Enterprise only. - Path of the mount or namespace to apply the quota. A blank path - configures a global rate limit quota. + description: |- + Path of the mount or namespace to apply the quota. A blank path configures a + global rate limit quota. For example namespace1/ adds a quota to a full namespace, + namespace1/auth/userpass adds a quota to userpass in namespace1. + Updating this field on an existing quota can have "moving" effects. For example, updating + auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to + a namespace specific mount quota. Note, namespaces are supported in Enterprise only. + Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. type: string rate: - description: The maximum number of requests at any given second - to be allowed by the quota rule. The rate must be positive. - The maximum number of requests at any given second to be allowed - by the quota rule. The rate must be positive. + description: |- + The maximum number of requests at any given second to be allowed by the quota + rule. The rate must be positive. + The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. type: number role: - description: If set on a quota where path is set to an auth mount - with a concept of roles (such as /auth/approle/), this will - make the quota restrict login requests to that mount that are - made with the specified role. If set on a quota where path is - set to an auth mount with a concept of roles (such as /auth/approle/), - this will make the quota restrict login requests to that mount - that are made with the specified role. + description: |- + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -209,45 +218,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -257,21 +231,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -281,17 +255,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -301,21 +277,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -330,21 +306,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -355,14 +332,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -378,69 +356,70 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: rate is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.rate is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.rate) - || has(self.initProvider.rate)' + || (has(self.initProvider) && has(self.initProvider.rate))' status: description: RateLimitStatus defines the observed state of RateLimit. properties: atProvider: properties: blockInterval: - description: If set, when a client reaches a rate limit threshold, - the client will be prohibited from any further requests until - after the 'block_interval' in seconds has elapsed. If set, when - a client reaches a rate limit threshold, the client will be - prohibited from any further requests until after the 'block_interval' - in seconds has elapsed. + description: |- + If set, when a client reaches a rate limit threshold, the client will + be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. + If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. type: number id: type: string + inheritable: + description: |- + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + type: boolean interval: - description: The duration in seconds to enforce rate limiting - for. The duration in seconds to enforce rate limiting for. + description: |- + The duration in seconds to enforce rate limiting for. + The duration in seconds to enforce rate limiting for. type: number name: - description: Name of the rate limit quota The name of the quota. + description: |- + Name of the rate limit quota + The name of the quota. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path of the mount or namespace to apply the quota. - A blank path configures a global rate limit quota. For example - namespace1/ adds a quota to a full namespace, namespace1/auth/userpass - adds a quota to userpass in namespace1. Updating this field - on an existing quota can have "moving" effects. For example, - updating auth/userpass to namespace1/auth/userpass moves this - quota from being a global mount quota to a namespace specific - mount quota. Note, namespaces are supported in Enterprise only. - Path of the mount or namespace to apply the quota. A blank path - configures a global rate limit quota. + description: |- + Path of the mount or namespace to apply the quota. A blank path configures a + global rate limit quota. For example namespace1/ adds a quota to a full namespace, + namespace1/auth/userpass adds a quota to userpass in namespace1. + Updating this field on an existing quota can have "moving" effects. For example, updating + auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to + a namespace specific mount quota. Note, namespaces are supported in Enterprise only. + Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. type: string rate: - description: The maximum number of requests at any given second - to be allowed by the quota rule. The rate must be positive. - The maximum number of requests at any given second to be allowed - by the quota rule. The rate must be positive. + description: |- + The maximum number of requests at any given second to be allowed by the quota + rule. The rate must be positive. + The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. type: number role: - description: If set on a quota where path is set to an auth mount - with a concept of roles (such as /auth/approle/), this will - make the quota restrict login requests to that mount that are - made with the specified role. If set on a quota where path is - set to an auth mount with a concept of roles (such as /auth/approle/), - this will make the quota restrict login requests to that mount - that are made with the specified role. + description: |- + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. type: string type: object conditions: @@ -449,14 +428,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -466,8 +454,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -476,6 +465,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/rabbitmq.vault.upbound.io_secretbackendroles.yaml b/package/crds/rabbitmq.vault.upbound.io_secretbackendroles.yaml index 0e52eec5..e54f9d3e 100644 --- a/package/crds/rabbitmq.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/rabbitmq.vault.upbound.io_secretbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendroles.rabbitmq.vault.upbound.io spec: group: rabbitmq.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Creates a role on an RabbitMQ Secret Backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,27 +74,109 @@ spec: forProvider: properties: backend: - description: The path the RabbitMQ secret backend is mounted at, - with no leading or trailing /s. The path of the Rabbitmq Secret - Backend the role belongs to. + description: |- + The path the RabbitMQ secret backend is mounted at, + with no leading or trailing /s. + The path of the Rabbitmq Secret Backend the role belongs to. type: string + backendRef: + description: Reference to a SecretBackend in rabbitmq to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in rabbitmq to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: The name to identify this role within the backend. - Must be unique within the backend. Unique name for the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string tags: - description: Specifies a comma-separated RabbitMQ management tags. + description: |- + Specifies a comma-separated RabbitMQ management tags. Specifies a comma-separated RabbitMQ management tags. type: string vhost: - description: Specifies a map of virtual hosts to permissions. + description: |- + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. items: properties: @@ -107,17 +195,17 @@ spec: type: object type: array vhostTopic: - description: Specifies a map of virtual hosts and exchanges to - topic permissions. This option requires RabbitMQ 3.7.0 or later. - Specifies a map of virtual hosts and exchanges to topic permissions. - This option requires RabbitMQ 3.7.0 or later. + description: |- + Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. + Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. items: properties: host: description: The vhost to set permissions for. type: string vhost: - description: Specifies a map of virtual hosts to permissions. + description: |- + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. items: properties: @@ -136,40 +224,122 @@ spec: type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The path the RabbitMQ secret backend is mounted at, - with no leading or trailing /s. The path of the Rabbitmq Secret - Backend the role belongs to. + description: |- + The path the RabbitMQ secret backend is mounted at, + with no leading or trailing /s. + The path of the Rabbitmq Secret Backend the role belongs to. type: string + backendRef: + description: Reference to a SecretBackend in rabbitmq to populate + backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a SecretBackend in rabbitmq to populate + backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object name: - description: The name to identify this role within the backend. - Must be unique within the backend. Unique name for the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string tags: - description: Specifies a comma-separated RabbitMQ management tags. + description: |- + Specifies a comma-separated RabbitMQ management tags. Specifies a comma-separated RabbitMQ management tags. type: string vhost: - description: Specifies a map of virtual hosts to permissions. + description: |- + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. items: properties: @@ -188,17 +358,17 @@ spec: type: object type: array vhostTopic: - description: Specifies a map of virtual hosts and exchanges to - topic permissions. This option requires RabbitMQ 3.7.0 or later. - Specifies a map of virtual hosts and exchanges to topic permissions. - This option requires RabbitMQ 3.7.0 or later. + description: |- + Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. + Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. items: properties: host: description: The vhost to set permissions for. type: string vhost: - description: Specifies a map of virtual hosts to permissions. + description: |- + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. items: properties: @@ -219,20 +389,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -245,45 +416,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -293,21 +429,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -317,17 +453,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -337,21 +475,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -366,21 +504,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -391,14 +530,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -414,43 +554,45 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: SecretBackendRoleStatus defines the observed state of SecretBackendRole. properties: atProvider: properties: backend: - description: The path the RabbitMQ secret backend is mounted at, - with no leading or trailing /s. The path of the Rabbitmq Secret - Backend the role belongs to. + description: |- + The path the RabbitMQ secret backend is mounted at, + with no leading or trailing /s. + The path of the Rabbitmq Secret Backend the role belongs to. type: string id: type: string name: - description: The name to identify this role within the backend. - Must be unique within the backend. Unique name for the role. + description: |- + The name to identify this role within the backend. + Must be unique within the backend. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string tags: - description: Specifies a comma-separated RabbitMQ management tags. + description: |- + Specifies a comma-separated RabbitMQ management tags. Specifies a comma-separated RabbitMQ management tags. type: string vhost: - description: Specifies a map of virtual hosts to permissions. + description: |- + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. items: properties: @@ -469,17 +611,17 @@ spec: type: object type: array vhostTopic: - description: Specifies a map of virtual hosts and exchanges to - topic permissions. This option requires RabbitMQ 3.7.0 or later. - Specifies a map of virtual hosts and exchanges to topic permissions. - This option requires RabbitMQ 3.7.0 or later. + description: |- + Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. + Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. items: properties: host: description: The vhost to set permissions for. type: string vhost: - description: Specifies a map of virtual hosts to permissions. + description: |- + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. items: properties: @@ -503,14 +645,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -520,8 +671,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -530,6 +682,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/rabbitmq.vault.upbound.io_secretbackends.yaml b/package/crds/rabbitmq.vault.upbound.io_secretbackends.yaml index 5f39ca71..c871dabe 100644 --- a/package/crds/rabbitmq.vault.upbound.io_secretbackends.yaml +++ b/package/crds/rabbitmq.vault.upbound.io_secretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackends.rabbitmq.vault.upbound.io spec: group: rabbitmq.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: an RabbitMQ secret backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,43 +74,49 @@ spec: forProvider: properties: connectionUri: - description: Specifies the RabbitMQ connection URI. Specifies - the RabbitMQ connection URI. + description: |- + Specifies the RabbitMQ connection URI. + Specifies the RabbitMQ connection URI. type: string defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials + issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string passwordPolicy: - description: Specifies a password policy to use when creating - dynamic credentials. Defaults to generating an alphanumeric - password if not set. Specifies a password policy to use when - creating dynamic credentials. Defaults to generating an alphanumeric - password if not set. + description: |- + Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. + Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. type: string passwordSecretRef: - description: Specifies the RabbitMQ management administrator password. + description: |- + Specifies the RabbitMQ management administrator password. Specifies the RabbitMQ management administrator password properties: key: @@ -122,13 +134,14 @@ spec: - namespace type: object path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to rabbitmq. The path - of the RabbitMQ Secret Backend where the connection should be - configured + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to rabbitmq. + The path of the RabbitMQ Secret Backend where the connection should be configured type: string usernameSecretRef: - description: Specifies the RabbitMQ management administrator username. + description: |- + Specifies the RabbitMQ management administrator username. Specifies the RabbitMQ management administrator username properties: key: @@ -146,97 +159,148 @@ spec: - namespace type: object usernameTemplate: - description: Template describing how dynamic usernames are generated. + description: |- + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Specifies whether to verify connection URI, username, - and password. Defaults to true. Specifies whether to verify - connection URI, username, and password. + description: |- + Specifies whether to verify connection URI, username, and password. + Defaults to true. + Specifies whether to verify connection URI, username, and password. type: boolean type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: connectionUri: - description: Specifies the RabbitMQ connection URI. Specifies - the RabbitMQ connection URI. + description: |- + Specifies the RabbitMQ connection URI. + Specifies the RabbitMQ connection URI. type: string defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials + issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string passwordPolicy: - description: Specifies a password policy to use when creating - dynamic credentials. Defaults to generating an alphanumeric - password if not set. Specifies a password policy to use when - creating dynamic credentials. Defaults to generating an alphanumeric - password if not set. + description: |- + Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. + Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. type: string + passwordSecretRef: + description: |- + Specifies the RabbitMQ management administrator password. + Specifies the RabbitMQ management administrator password + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to rabbitmq. The path - of the RabbitMQ Secret Backend where the connection should be - configured + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to rabbitmq. + The path of the RabbitMQ Secret Backend where the connection should be configured type: string + usernameSecretRef: + description: |- + Specifies the RabbitMQ management administrator username. + Specifies the RabbitMQ management administrator username + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object usernameTemplate: - description: Template describing how dynamic usernames are generated. + description: |- + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Specifies whether to verify connection URI, username, - and password. Defaults to true. Specifies whether to verify - connection URI, username, and password. + description: |- + Specifies whether to verify connection URI, username, and password. + Defaults to true. + Specifies whether to verify connection URI, username, and password. type: boolean + required: + - passwordSecretRef + - usernameSecretRef type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -249,9 +313,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -261,57 +326,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -321,17 +350,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -341,21 +372,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -370,21 +401,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -395,14 +427,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -418,14 +451,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: connectionUri is a required parameter + - message: spec.forProvider.connectionUri is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.connectionUri) - || has(self.initProvider.connectionUri)' - - message: passwordSecretRef is a required parameter + || (has(self.initProvider) && has(self.initProvider.connectionUri))' + - message: spec.forProvider.passwordSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.passwordSecretRef)' - - message: usernameSecretRef is a required parameter + - message: spec.forProvider.usernameSecretRef is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.usernameSecretRef)' status: @@ -434,57 +467,64 @@ spec: atProvider: properties: connectionUri: - description: Specifies the RabbitMQ connection URI. Specifies - the RabbitMQ connection URI. + description: |- + Specifies the RabbitMQ connection URI. + Specifies the RabbitMQ connection URI. type: string defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials + issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean id: type: string maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string passwordPolicy: - description: Specifies a password policy to use when creating - dynamic credentials. Defaults to generating an alphanumeric - password if not set. Specifies a password policy to use when - creating dynamic credentials. Defaults to generating an alphanumeric - password if not set. + description: |- + Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. + Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. type: string path: - description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to rabbitmq. The path - of the RabbitMQ Secret Backend where the connection should be - configured + description: |- + The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to rabbitmq. + The path of the RabbitMQ Secret Backend where the connection should be configured type: string usernameTemplate: - description: Template describing how dynamic usernames are generated. + description: |- + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. type: string verifyConnection: - description: Specifies whether to verify connection URI, username, - and password. Defaults to true. Specifies whether to verify - connection URI, username, and password. + description: |- + Specifies whether to verify connection URI, username, and password. + Defaults to true. + Specifies whether to verify connection URI, username, and password. type: boolean type: object conditions: @@ -493,14 +533,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -510,8 +559,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -520,6 +570,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/raft.vault.upbound.io_autopilots.yaml b/package/crds/raft.vault.upbound.io_autopilots.yaml index 2cbca0c5..fedb9420 100644 --- a/package/crds/raft.vault.upbound.io_autopilots.yaml +++ b/package/crds/raft.vault.upbound.io_autopilots.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: autopilots.raft.vault.upbound.io spec: group: raft.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Autopilot capabilities. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,135 +74,138 @@ spec: forProvider: properties: cleanupDeadServers: - description: quorum is also set. Specifies whether to remove dead - server nodes periodically or when a new server joins. This requires - that min-quorum is also set. + description: |- + quorum is also set. + Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set. type: boolean deadServerLastContactThreshold: - description: Limit the amount of time a server can go without - leader contact before being considered failed. This only takes - effect when cleanup_dead_servers is set. Limit the amount of - time a server can go without leader contact before being considered - failed. This only takes effect when cleanup_dead_servers is - set. + description: |- + Limit the amount of time a + server can go without leader contact before being considered failed. This only takes + effect when cleanup_dead_servers is set. + Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set. type: string disableUpgradeMigration: - description: only) Disables automatically upgrading Vault using - autopilot. (Enterprise-only) + description: |- + only) + Disables automatically upgrading Vault using autopilot. (Enterprise-only) type: boolean lastContactThreshold: - description: Limit the amount of time a server can go without - leader contact before being considered unhealthy. Limit the - amount of time a server can go without leader contact before - being considered unhealthy. + description: |- + Limit the amount of time a server can go + without leader contact before being considered unhealthy. + Limit the amount of time a server can go without leader contact before being considered unhealthy. type: string maxTrailingLogs: - description: Maximum number of log entries in the Raft log that - a server can be behind its leader before being considered unhealthy. - Maximum number of log entries in the Raft log that a server - can be behind its leader before being considered unhealthy. + description: |- + Maximum number of log entries in the Raft log + that a server can be behind its leader before being considered unhealthy. + Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy. type: number minQuorum: - description: Minimum number of servers allowed in a cluster before - autopilot can prune dead servers. This should at least be 3. - Applicable only for voting nodes. Minimum number of servers - allowed in a cluster before autopilot can prune dead servers. - This should at least be 3. Applicable only for voting nodes. + description: |- + Minimum number of servers allowed in a cluster before + autopilot can prune dead servers. This should at least be 3. Applicable only for + voting nodes. + Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string serverStabilizationTime: - description: Minimum amount of time a server must be stable in - the 'healthy' state before being added to the cluster. Minimum - amount of time a server must be stable in the 'healthy' state - before being added to the cluster. + description: |- + Minimum amount of time a server must be + stable in the 'healthy' state before being added to the cluster. + Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: cleanupDeadServers: - description: quorum is also set. Specifies whether to remove dead - server nodes periodically or when a new server joins. This requires - that min-quorum is also set. + description: |- + quorum is also set. + Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set. type: boolean deadServerLastContactThreshold: - description: Limit the amount of time a server can go without - leader contact before being considered failed. This only takes - effect when cleanup_dead_servers is set. Limit the amount of - time a server can go without leader contact before being considered - failed. This only takes effect when cleanup_dead_servers is - set. + description: |- + Limit the amount of time a + server can go without leader contact before being considered failed. This only takes + effect when cleanup_dead_servers is set. + Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set. type: string disableUpgradeMigration: - description: only) Disables automatically upgrading Vault using - autopilot. (Enterprise-only) + description: |- + only) + Disables automatically upgrading Vault using autopilot. (Enterprise-only) type: boolean lastContactThreshold: - description: Limit the amount of time a server can go without - leader contact before being considered unhealthy. Limit the - amount of time a server can go without leader contact before - being considered unhealthy. + description: |- + Limit the amount of time a server can go + without leader contact before being considered unhealthy. + Limit the amount of time a server can go without leader contact before being considered unhealthy. type: string maxTrailingLogs: - description: Maximum number of log entries in the Raft log that - a server can be behind its leader before being considered unhealthy. - Maximum number of log entries in the Raft log that a server - can be behind its leader before being considered unhealthy. + description: |- + Maximum number of log entries in the Raft log + that a server can be behind its leader before being considered unhealthy. + Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy. type: number minQuorum: - description: Minimum number of servers allowed in a cluster before - autopilot can prune dead servers. This should at least be 3. - Applicable only for voting nodes. Minimum number of servers - allowed in a cluster before autopilot can prune dead servers. - This should at least be 3. Applicable only for voting nodes. + description: |- + Minimum number of servers allowed in a cluster before + autopilot can prune dead servers. This should at least be 3. Applicable only for + voting nodes. + Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string serverStabilizationTime: - description: Minimum amount of time a server must be stable in - the 'healthy' state before being added to the cluster. Minimum - amount of time a server must be stable in the 'healthy' state - before being added to the cluster. + description: |- + Minimum amount of time a server must be + stable in the 'healthy' state before being added to the cluster. + Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -209,45 +218,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -257,21 +231,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -281,17 +255,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -301,21 +277,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -330,21 +306,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -355,14 +332,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -383,55 +361,56 @@ spec: atProvider: properties: cleanupDeadServers: - description: quorum is also set. Specifies whether to remove dead - server nodes periodically or when a new server joins. This requires - that min-quorum is also set. + description: |- + quorum is also set. + Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set. type: boolean deadServerLastContactThreshold: - description: Limit the amount of time a server can go without - leader contact before being considered failed. This only takes - effect when cleanup_dead_servers is set. Limit the amount of - time a server can go without leader contact before being considered - failed. This only takes effect when cleanup_dead_servers is - set. + description: |- + Limit the amount of time a + server can go without leader contact before being considered failed. This only takes + effect when cleanup_dead_servers is set. + Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set. type: string disableUpgradeMigration: - description: only) Disables automatically upgrading Vault using - autopilot. (Enterprise-only) + description: |- + only) + Disables automatically upgrading Vault using autopilot. (Enterprise-only) type: boolean id: type: string lastContactThreshold: - description: Limit the amount of time a server can go without - leader contact before being considered unhealthy. Limit the - amount of time a server can go without leader contact before - being considered unhealthy. + description: |- + Limit the amount of time a server can go + without leader contact before being considered unhealthy. + Limit the amount of time a server can go without leader contact before being considered unhealthy. type: string maxTrailingLogs: - description: Maximum number of log entries in the Raft log that - a server can be behind its leader before being considered unhealthy. - Maximum number of log entries in the Raft log that a server - can be behind its leader before being considered unhealthy. + description: |- + Maximum number of log entries in the Raft log + that a server can be behind its leader before being considered unhealthy. + Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy. type: number minQuorum: - description: Minimum number of servers allowed in a cluster before - autopilot can prune dead servers. This should at least be 3. - Applicable only for voting nodes. Minimum number of servers - allowed in a cluster before autopilot can prune dead servers. - This should at least be 3. Applicable only for voting nodes. + description: |- + Minimum number of servers allowed in a cluster before + autopilot can prune dead servers. This should at least be 3. Applicable only for + voting nodes. + Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes. type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string serverStabilizationTime: - description: Minimum amount of time a server must be stable in - the 'healthy' state before being added to the cluster. Minimum - amount of time a server must be stable in the 'healthy' state - before being added to the cluster. + description: |- + Minimum amount of time a server must be + stable in the 'healthy' state before being added to the cluster. + Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster. type: string type: object conditions: @@ -440,14 +419,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -457,8 +445,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -467,6 +456,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/raft.vault.upbound.io_snapshotagentconfigs.yaml b/package/crds/raft.vault.upbound.io_snapshotagentconfigs.yaml index 7a868fb1..366e783d 100644 --- a/package/crds/raft.vault.upbound.io_snapshotagentconfigs.yaml +++ b/package/crds/raft.vault.upbound.io_snapshotagentconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: snapshotagentconfigs.raft.vault.upbound.io spec: group: raft.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. Creates a Raft Snapshot Agent Configuration for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,297 +74,366 @@ spec: forProvider: properties: awsAccessKeyId: - description: AWS access key ID. AWS access key ID. + description: |- + AWS access key ID. + AWS access key ID. type: string awsS3Bucket: - description: S3 bucket to write snapshots to. S3 bucket to write - snapshots to. + description: |- + S3 bucket to write snapshots to. + S3 bucket to write snapshots to. type: string awsS3DisableTls: - description: Disable TLS for the S3 endpoint. This should only - be used for testing purposes, typically in conjunction with - aws_s3_endpoint. Disable TLS for the S3 endpoint. This should - only be used for testing purposes. + description: |- + Disable TLS for the S3 endpoint. This + should only be used for testing purposes, typically in conjunction with + aws_s3_endpoint. + Disable TLS for the S3 endpoint. This should only be used for testing purposes. type: boolean awsS3EnableKms: - description: Use KMS to encrypt bucket contents. Use KMS to encrypt - bucket contents. + description: |- + Use KMS to encrypt bucket contents. + Use KMS to encrypt bucket contents. type: boolean awsS3Endpoint: - description: AWS endpoint. This is typically only set when using - a non-AWS S3 implementation like Minio. AWS endpoint. This is - typically only set when using a non-AWS S3 implementation like - Minio. + description: |- + AWS endpoint. This is typically only set when + using a non-AWS S3 implementation like Minio. + AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio. type: string awsS3ForcePathStyle: - description: Use the endpoint/bucket URL style instead of bucket.endpoint. - May be needed when setting aws_s3_endpoint. Use the endpoint/bucket - URL style instead of bucket.endpoint. + description: |- + Use the endpoint/bucket URL style + instead of bucket.endpoint. May be needed when setting aws_s3_endpoint. + Use the endpoint/bucket URL style instead of bucket.endpoint. type: boolean awsS3KmsKey: - description: Use named KMS key, when aws_s3_enable_kms = true + description: |- + Use named KMS key, when aws_s3_enable_kms = true Use named KMS key, when aws_s3_enable_kms=true type: string awsS3Region: - description: AWS region bucket is in. AWS region bucket is in. + description: |- + AWS region bucket is in. + AWS region bucket is in. type: string awsS3ServerSideEncryption: - description: Use AES256 to encrypt bucket contents. Use AES256 - to encrypt bucket contents. + description: |- + Use AES256 to encrypt bucket contents. + Use AES256 to encrypt bucket contents. type: boolean awsSecretAccessKey: - description: AWS secret access key. AWS secret access key. + description: |- + AWS secret access key. + AWS secret access key. type: string awsSessionToken: - description: AWS session token. AWS session token. + description: |- + AWS session token. + AWS session token. type: string azureAccountKey: - description: Azure account key. Azure account key. + description: |- + Azure account key. + Azure account key. type: string azureAccountName: - description: Azure account name. Azure account name. + description: |- + Azure account name. + Azure account name. type: string azureBlobEnvironment: - description: Azure blob environment. Azure blob environment. + description: |- + Azure blob environment. + Azure blob environment. type: string azureContainerName: - description: Azure container name to write snapshots to. Azure - container name to write snapshots to. + description: |- + Azure container name to write + snapshots to. + Azure container name to write snapshots to. type: string azureEndpoint: - description: Azure blob storage endpoint. This is typically only - set when using a non-Azure implementation like Azurite. Azure - blob storage endpoint. This is typically only set when using - a non-Azure implementation like Azurite. + description: |- + Azure blob storage endpoint. This is typically + only set when using a non-Azure implementation like Azurite. + Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite. type: string filePrefix: - description: Within the directory or bucket prefix given by path_prefix, - the file or object name of snapshot files will start with this - string. The file or object name of snapshot files will start - with this string. + description: |- + Within the directory or bucket + prefix given by path_prefix, the file or object name of snapshot files + will start with this string. + The file or object name of snapshot files will start with this string. type: string googleDisableTls: - description: Disable TLS for the GCS endpoint. This should only - be used for testing purposes, typically in conjunction with - google_endpoint. Disable TLS for the GCS endpoint. + description: |- + Disable TLS for the GCS endpoint. This + should only be used for testing purposes, typically in conjunction with + google_endpoint. + Disable TLS for the GCS endpoint. type: boolean googleEndpoint: - description: GCS endpoint. This is typically only set when using - a non-Google GCS implementation like fake-gcs-server. GCS endpoint. - This is typically only set when using a non-Google GCS implementation - like fake-gcs-server. + description: |- + GCS endpoint. This is typically only set when + using a non-Google GCS implementation like fake-gcs-server. + GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. type: string googleGcsBucket: - description: GCS bucket to write snapshots to. GCS bucket to write - snapshots to. + description: |- + GCS bucket to write snapshots to. + GCS bucket to write snapshots to. type: string googleServiceAccountKey: - description: 'Google service account key in JSON format. The raw - value looks like this: Google service account key in JSON format.' + description: |- + Google service account key in JSON format. + The raw value looks like this: + Google service account key in JSON format. type: string intervalSeconds: - description: Time (in seconds) between snapshots. Number of seconds - between snapshots. + description: |- + Time (in seconds) between snapshots. + Number of seconds between snapshots. type: number localMaxSpace: - description: For storage_type = local, the maximum space, in bytes, - to use for snapshots. Snapshot attempts will fail if there is - not enough space left in this allowance. The maximum space, - in bytes, to use for snapshots. + description: |- + For storage_type = local, the maximum + space, in bytes, to use for snapshots. Snapshot attempts will fail if there is not enough + space left in this allowance. + The maximum space, in bytes, to use for snapshots. type: number name: - description: – Name of the configuration to modify. + description: |- + – Name of the configuration to modify. Name of the snapshot agent configuration. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pathPrefix: - description: For storage_type = "local", the directory to write - the snapshots in. For cloud storage types, the bucket prefix - to use. Types azure-s3 and google-gcs require a trailing / (slash). - Types local and aws-s3 the trailing / is optional. The directory - or bucket prefix to to use. + description: |- + For storage_type = "local", the directory to + write the snapshots in. For cloud storage types, the bucket prefix to use. + Types azure-s3 and google-gcs require a trailing / (slash). + Types local and aws-s3 the trailing / is optional. + The directory or bucket prefix to to use. type: string retain: - description: How many snapshots are to be kept; when writing a - snapshot, if there are more snapshots already stored than this - number, the oldest ones will be deleted. How many snapshots - are to be kept. + description: |- + How many snapshots are to be kept; when writing a + snapshot, if there are more snapshots already stored than this number, the + oldest ones will be deleted. + How many snapshots are to be kept. type: number storageType: - description: One of "local", "azure-blob", "aws-s3", or "google-gcs". - The remaining parameters described below are all specific to - the selected storage_type and prefixed accordingly. What storage - service to send snapshots to. One of "local", "azure-blob", - "aws-s3", or "google-gcs". + description: |- + One of "local", "azure-blob", "aws-s3", + or "google-gcs". The remaining parameters described below are all specific to + the selected storage_type and prefixed accordingly. + What storage service to send snapshots to. One of "local", "azure-blob", "aws-s3", or "google-gcs". type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: awsAccessKeyId: - description: AWS access key ID. AWS access key ID. + description: |- + AWS access key ID. + AWS access key ID. type: string awsS3Bucket: - description: S3 bucket to write snapshots to. S3 bucket to write - snapshots to. + description: |- + S3 bucket to write snapshots to. + S3 bucket to write snapshots to. type: string awsS3DisableTls: - description: Disable TLS for the S3 endpoint. This should only - be used for testing purposes, typically in conjunction with - aws_s3_endpoint. Disable TLS for the S3 endpoint. This should - only be used for testing purposes. + description: |- + Disable TLS for the S3 endpoint. This + should only be used for testing purposes, typically in conjunction with + aws_s3_endpoint. + Disable TLS for the S3 endpoint. This should only be used for testing purposes. type: boolean awsS3EnableKms: - description: Use KMS to encrypt bucket contents. Use KMS to encrypt - bucket contents. + description: |- + Use KMS to encrypt bucket contents. + Use KMS to encrypt bucket contents. type: boolean awsS3Endpoint: - description: AWS endpoint. This is typically only set when using - a non-AWS S3 implementation like Minio. AWS endpoint. This is - typically only set when using a non-AWS S3 implementation like - Minio. + description: |- + AWS endpoint. This is typically only set when + using a non-AWS S3 implementation like Minio. + AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio. type: string awsS3ForcePathStyle: - description: Use the endpoint/bucket URL style instead of bucket.endpoint. - May be needed when setting aws_s3_endpoint. Use the endpoint/bucket - URL style instead of bucket.endpoint. + description: |- + Use the endpoint/bucket URL style + instead of bucket.endpoint. May be needed when setting aws_s3_endpoint. + Use the endpoint/bucket URL style instead of bucket.endpoint. type: boolean awsS3KmsKey: - description: Use named KMS key, when aws_s3_enable_kms = true + description: |- + Use named KMS key, when aws_s3_enable_kms = true Use named KMS key, when aws_s3_enable_kms=true type: string awsS3Region: - description: AWS region bucket is in. AWS region bucket is in. + description: |- + AWS region bucket is in. + AWS region bucket is in. type: string awsS3ServerSideEncryption: - description: Use AES256 to encrypt bucket contents. Use AES256 - to encrypt bucket contents. + description: |- + Use AES256 to encrypt bucket contents. + Use AES256 to encrypt bucket contents. type: boolean awsSecretAccessKey: - description: AWS secret access key. AWS secret access key. + description: |- + AWS secret access key. + AWS secret access key. type: string awsSessionToken: - description: AWS session token. AWS session token. + description: |- + AWS session token. + AWS session token. type: string azureAccountKey: - description: Azure account key. Azure account key. + description: |- + Azure account key. + Azure account key. type: string azureAccountName: - description: Azure account name. Azure account name. + description: |- + Azure account name. + Azure account name. type: string azureBlobEnvironment: - description: Azure blob environment. Azure blob environment. + description: |- + Azure blob environment. + Azure blob environment. type: string azureContainerName: - description: Azure container name to write snapshots to. Azure - container name to write snapshots to. + description: |- + Azure container name to write + snapshots to. + Azure container name to write snapshots to. type: string azureEndpoint: - description: Azure blob storage endpoint. This is typically only - set when using a non-Azure implementation like Azurite. Azure - blob storage endpoint. This is typically only set when using - a non-Azure implementation like Azurite. + description: |- + Azure blob storage endpoint. This is typically + only set when using a non-Azure implementation like Azurite. + Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite. type: string filePrefix: - description: Within the directory or bucket prefix given by path_prefix, - the file or object name of snapshot files will start with this - string. The file or object name of snapshot files will start - with this string. + description: |- + Within the directory or bucket + prefix given by path_prefix, the file or object name of snapshot files + will start with this string. + The file or object name of snapshot files will start with this string. type: string googleDisableTls: - description: Disable TLS for the GCS endpoint. This should only - be used for testing purposes, typically in conjunction with - google_endpoint. Disable TLS for the GCS endpoint. + description: |- + Disable TLS for the GCS endpoint. This + should only be used for testing purposes, typically in conjunction with + google_endpoint. + Disable TLS for the GCS endpoint. type: boolean googleEndpoint: - description: GCS endpoint. This is typically only set when using - a non-Google GCS implementation like fake-gcs-server. GCS endpoint. - This is typically only set when using a non-Google GCS implementation - like fake-gcs-server. + description: |- + GCS endpoint. This is typically only set when + using a non-Google GCS implementation like fake-gcs-server. + GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. type: string googleGcsBucket: - description: GCS bucket to write snapshots to. GCS bucket to write - snapshots to. + description: |- + GCS bucket to write snapshots to. + GCS bucket to write snapshots to. type: string googleServiceAccountKey: - description: 'Google service account key in JSON format. The raw - value looks like this: Google service account key in JSON format.' + description: |- + Google service account key in JSON format. + The raw value looks like this: + Google service account key in JSON format. type: string intervalSeconds: - description: Time (in seconds) between snapshots. Number of seconds - between snapshots. + description: |- + Time (in seconds) between snapshots. + Number of seconds between snapshots. type: number localMaxSpace: - description: For storage_type = local, the maximum space, in bytes, - to use for snapshots. Snapshot attempts will fail if there is - not enough space left in this allowance. The maximum space, - in bytes, to use for snapshots. + description: |- + For storage_type = local, the maximum + space, in bytes, to use for snapshots. Snapshot attempts will fail if there is not enough + space left in this allowance. + The maximum space, in bytes, to use for snapshots. type: number name: - description: – Name of the configuration to modify. + description: |- + – Name of the configuration to modify. Name of the snapshot agent configuration. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pathPrefix: - description: For storage_type = "local", the directory to write - the snapshots in. For cloud storage types, the bucket prefix - to use. Types azure-s3 and google-gcs require a trailing / (slash). - Types local and aws-s3 the trailing / is optional. The directory - or bucket prefix to to use. + description: |- + For storage_type = "local", the directory to + write the snapshots in. For cloud storage types, the bucket prefix to use. + Types azure-s3 and google-gcs require a trailing / (slash). + Types local and aws-s3 the trailing / is optional. + The directory or bucket prefix to to use. type: string retain: - description: How many snapshots are to be kept; when writing a - snapshot, if there are more snapshots already stored than this - number, the oldest ones will be deleted. How many snapshots - are to be kept. + description: |- + How many snapshots are to be kept; when writing a + snapshot, if there are more snapshots already stored than this number, the + oldest ones will be deleted. + How many snapshots are to be kept. type: number storageType: - description: One of "local", "azure-blob", "aws-s3", or "google-gcs". - The remaining parameters described below are all specific to - the selected storage_type and prefixed accordingly. What storage - service to send snapshots to. One of "local", "azure-blob", - "aws-s3", or "google-gcs". + description: |- + One of "local", "azure-blob", "aws-s3", + or "google-gcs". The remaining parameters described below are all specific to + the selected storage_type and prefixed accordingly. + What storage service to send snapshots to. One of "local", "azure-blob", "aws-s3", or "google-gcs". type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -371,9 +446,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -383,57 +459,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -443,17 +483,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -463,21 +505,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -492,21 +534,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -517,14 +560,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -540,158 +584,192 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: intervalSeconds is a required parameter + - message: spec.forProvider.intervalSeconds is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.intervalSeconds) - || has(self.initProvider.intervalSeconds)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.intervalSeconds))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: pathPrefix is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.pathPrefix is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.pathPrefix) - || has(self.initProvider.pathPrefix)' - - message: storageType is a required parameter + || (has(self.initProvider) && has(self.initProvider.pathPrefix))' + - message: spec.forProvider.storageType is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.storageType) - || has(self.initProvider.storageType)' + || (has(self.initProvider) && has(self.initProvider.storageType))' status: description: SnapshotAgentConfigStatus defines the observed state of SnapshotAgentConfig. properties: atProvider: properties: awsAccessKeyId: - description: AWS access key ID. AWS access key ID. + description: |- + AWS access key ID. + AWS access key ID. type: string awsS3Bucket: - description: S3 bucket to write snapshots to. S3 bucket to write - snapshots to. + description: |- + S3 bucket to write snapshots to. + S3 bucket to write snapshots to. type: string awsS3DisableTls: - description: Disable TLS for the S3 endpoint. This should only - be used for testing purposes, typically in conjunction with - aws_s3_endpoint. Disable TLS for the S3 endpoint. This should - only be used for testing purposes. + description: |- + Disable TLS for the S3 endpoint. This + should only be used for testing purposes, typically in conjunction with + aws_s3_endpoint. + Disable TLS for the S3 endpoint. This should only be used for testing purposes. type: boolean awsS3EnableKms: - description: Use KMS to encrypt bucket contents. Use KMS to encrypt - bucket contents. + description: |- + Use KMS to encrypt bucket contents. + Use KMS to encrypt bucket contents. type: boolean awsS3Endpoint: - description: AWS endpoint. This is typically only set when using - a non-AWS S3 implementation like Minio. AWS endpoint. This is - typically only set when using a non-AWS S3 implementation like - Minio. + description: |- + AWS endpoint. This is typically only set when + using a non-AWS S3 implementation like Minio. + AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio. type: string awsS3ForcePathStyle: - description: Use the endpoint/bucket URL style instead of bucket.endpoint. - May be needed when setting aws_s3_endpoint. Use the endpoint/bucket - URL style instead of bucket.endpoint. + description: |- + Use the endpoint/bucket URL style + instead of bucket.endpoint. May be needed when setting aws_s3_endpoint. + Use the endpoint/bucket URL style instead of bucket.endpoint. type: boolean awsS3KmsKey: - description: Use named KMS key, when aws_s3_enable_kms = true + description: |- + Use named KMS key, when aws_s3_enable_kms = true Use named KMS key, when aws_s3_enable_kms=true type: string awsS3Region: - description: AWS region bucket is in. AWS region bucket is in. + description: |- + AWS region bucket is in. + AWS region bucket is in. type: string awsS3ServerSideEncryption: - description: Use AES256 to encrypt bucket contents. Use AES256 - to encrypt bucket contents. + description: |- + Use AES256 to encrypt bucket contents. + Use AES256 to encrypt bucket contents. type: boolean awsSecretAccessKey: - description: AWS secret access key. AWS secret access key. + description: |- + AWS secret access key. + AWS secret access key. type: string awsSessionToken: - description: AWS session token. AWS session token. + description: |- + AWS session token. + AWS session token. type: string azureAccountKey: - description: Azure account key. Azure account key. + description: |- + Azure account key. + Azure account key. type: string azureAccountName: - description: Azure account name. Azure account name. + description: |- + Azure account name. + Azure account name. type: string azureBlobEnvironment: - description: Azure blob environment. Azure blob environment. + description: |- + Azure blob environment. + Azure blob environment. type: string azureContainerName: - description: Azure container name to write snapshots to. Azure - container name to write snapshots to. + description: |- + Azure container name to write + snapshots to. + Azure container name to write snapshots to. type: string azureEndpoint: - description: Azure blob storage endpoint. This is typically only - set when using a non-Azure implementation like Azurite. Azure - blob storage endpoint. This is typically only set when using - a non-Azure implementation like Azurite. + description: |- + Azure blob storage endpoint. This is typically + only set when using a non-Azure implementation like Azurite. + Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite. type: string filePrefix: - description: Within the directory or bucket prefix given by path_prefix, - the file or object name of snapshot files will start with this - string. The file or object name of snapshot files will start - with this string. + description: |- + Within the directory or bucket + prefix given by path_prefix, the file or object name of snapshot files + will start with this string. + The file or object name of snapshot files will start with this string. type: string googleDisableTls: - description: Disable TLS for the GCS endpoint. This should only - be used for testing purposes, typically in conjunction with - google_endpoint. Disable TLS for the GCS endpoint. + description: |- + Disable TLS for the GCS endpoint. This + should only be used for testing purposes, typically in conjunction with + google_endpoint. + Disable TLS for the GCS endpoint. type: boolean googleEndpoint: - description: GCS endpoint. This is typically only set when using - a non-Google GCS implementation like fake-gcs-server. GCS endpoint. - This is typically only set when using a non-Google GCS implementation - like fake-gcs-server. + description: |- + GCS endpoint. This is typically only set when + using a non-Google GCS implementation like fake-gcs-server. + GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. type: string googleGcsBucket: - description: GCS bucket to write snapshots to. GCS bucket to write - snapshots to. + description: |- + GCS bucket to write snapshots to. + GCS bucket to write snapshots to. type: string googleServiceAccountKey: - description: 'Google service account key in JSON format. The raw - value looks like this: Google service account key in JSON format.' + description: |- + Google service account key in JSON format. + The raw value looks like this: + Google service account key in JSON format. type: string id: type: string intervalSeconds: - description: Time (in seconds) between snapshots. Number of seconds - between snapshots. + description: |- + Time (in seconds) between snapshots. + Number of seconds between snapshots. type: number localMaxSpace: - description: For storage_type = local, the maximum space, in bytes, - to use for snapshots. Snapshot attempts will fail if there is - not enough space left in this allowance. The maximum space, - in bytes, to use for snapshots. + description: |- + For storage_type = local, the maximum + space, in bytes, to use for snapshots. Snapshot attempts will fail if there is not enough + space left in this allowance. + The maximum space, in bytes, to use for snapshots. type: number name: - description: – Name of the configuration to modify. + description: |- + – Name of the configuration to modify. Name of the snapshot agent configuration. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string pathPrefix: - description: For storage_type = "local", the directory to write - the snapshots in. For cloud storage types, the bucket prefix - to use. Types azure-s3 and google-gcs require a trailing / (slash). - Types local and aws-s3 the trailing / is optional. The directory - or bucket prefix to to use. + description: |- + For storage_type = "local", the directory to + write the snapshots in. For cloud storage types, the bucket prefix to use. + Types azure-s3 and google-gcs require a trailing / (slash). + Types local and aws-s3 the trailing / is optional. + The directory or bucket prefix to to use. type: string retain: - description: How many snapshots are to be kept; when writing a - snapshot, if there are more snapshots already stored than this - number, the oldest ones will be deleted. How many snapshots - are to be kept. + description: |- + How many snapshots are to be kept; when writing a + snapshot, if there are more snapshots already stored than this number, the + oldest ones will be deleted. + How many snapshots are to be kept. type: number storageType: - description: One of "local", "azure-blob", "aws-s3", or "google-gcs". - The remaining parameters described below are all specific to - the selected storage_type and prefixed accordingly. What storage - service to send snapshots to. One of "local", "azure-blob", - "aws-s3", or "google-gcs". + description: |- + One of "local", "azure-blob", "aws-s3", + or "google-gcs". The remaining parameters described below are all specific to + the selected storage_type and prefixed accordingly. + What storage service to send snapshots to. One of "local", "azure-blob", "aws-s3", or "google-gcs". type: string type: object conditions: @@ -700,14 +778,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -717,8 +804,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -727,6 +815,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/rgp.vault.upbound.io_policies.yaml b/package/crds/rgp.vault.upbound.io_policies.yaml index 703c5d37..c6e40132 100644 --- a/package/crds/rgp.vault.upbound.io_policies.yaml +++ b/package/crds/rgp.vault.upbound.io_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.rgp.vault.upbound.io spec: group: rgp.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: governing policies for Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,75 +74,84 @@ spec: forProvider: properties: enforcementLevel: - description: 'Enforcement level of Sentinel policy. Can be either - advisory or soft-mandatory or hard-mandatory Enforcement level - of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory'' - or ''hard-mandatory''' + description: |- + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory + Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' type: string name: - description: The name of the policy Name of the policy + description: |- + The name of the policy + Name of the policy type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policy: - description: String containing a Sentinel policy The policy document + description: |- + String containing a Sentinel policy + The policy document type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: enforcementLevel: - description: 'Enforcement level of Sentinel policy. Can be either - advisory or soft-mandatory or hard-mandatory Enforcement level - of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory'' - or ''hard-mandatory''' + description: |- + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory + Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' type: string name: - description: The name of the policy Name of the policy + description: |- + The name of the policy + Name of the policy type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policy: - description: String containing a Sentinel policy The policy document + description: |- + String containing a Sentinel policy + The policy document type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -149,45 +164,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -197,21 +177,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -221,17 +201,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -241,21 +223,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -270,21 +252,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -295,14 +278,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -318,43 +302,47 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: enforcementLevel is a required parameter + - message: spec.forProvider.enforcementLevel is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.enforcementLevel) - || has(self.initProvider.enforcementLevel)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.enforcementLevel))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: policy is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.policy is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.policy) - || has(self.initProvider.policy)' + || (has(self.initProvider) && has(self.initProvider.policy))' status: description: PolicyStatus defines the observed state of Policy. properties: atProvider: properties: enforcementLevel: - description: 'Enforcement level of Sentinel policy. Can be either - advisory or soft-mandatory or hard-mandatory Enforcement level - of Sentinel policy. Can be one of: ''advisory'', ''soft-mandatory'' - or ''hard-mandatory''' + description: |- + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory + Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' type: string id: type: string name: - description: The name of the policy Name of the policy + description: |- + The name of the policy + Name of the policy type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policy: - description: String containing a Sentinel policy The policy document + description: |- + String containing a Sentinel policy + The policy document type: string type: object conditions: @@ -363,14 +351,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -380,8 +377,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -390,6 +388,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml b/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml index 9108a981..c40025cd 100644 --- a/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml +++ b/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendcas.ssh.vault.upbound.io spec: group: ssh.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: CA information in an SSH secret backend in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,26 +74,111 @@ spec: forProvider: properties: backend: - description: The path where the SSH secret backend is mounted. - Defaults to 'ssh' The path of the SSH Secret Backend where the - CA should be configured + description: |- + The path where the SSH secret backend is mounted. Defaults to 'ssh' + The path of the SSH Secret Backend where the CA should be configured type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object generateSigningKey: - description: Whether Vault should generate the signing key pair - internally. Defaults to true Whether Vault should generate the - signing key pair internally. + description: |- + Whether Vault should generate the signing key pair internally. Defaults to true + Whether Vault should generate the signing key pair internally. type: boolean + keyBits: + description: |- + Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. + Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`. + type: number + keyType: + description: |- + Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. + Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`. + type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string privateKeySecretRef: - description: The private key part the SSH CA key pair; required - if generate_signing_key is false. Private key part the SSH CA - key pair; required if generate_signing_key is false. + description: |- + The private key part the SSH CA key pair; required if generate_signing_key is false. + Private key part the SSH CA key pair; required if generate_signing_key is false. properties: key: description: The key to select. @@ -104,64 +195,169 @@ spec: - namespace type: object publicKey: - description: The public key part the SSH CA key pair; required - if generate_signing_key is false. Public key part the SSH CA - key pair; required if generate_signing_key is false. + description: |- + The public key part the SSH CA key pair; required if generate_signing_key is false. + Public key part the SSH CA key pair; required if generate_signing_key is false. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: The path where the SSH secret backend is mounted. - Defaults to 'ssh' The path of the SSH Secret Backend where the - CA should be configured + description: |- + The path where the SSH secret backend is mounted. Defaults to 'ssh' + The path of the SSH Secret Backend where the CA should be configured type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object generateSigningKey: - description: Whether Vault should generate the signing key pair - internally. Defaults to true Whether Vault should generate the - signing key pair internally. + description: |- + Whether Vault should generate the signing key pair internally. Defaults to true + Whether Vault should generate the signing key pair internally. type: boolean + keyBits: + description: |- + Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. + Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`. + type: number + keyType: + description: |- + Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. + Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`. + type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string + privateKeySecretRef: + description: |- + The private key part the SSH CA key pair; required if generate_signing_key is false. + Private key part the SSH CA key pair; required if generate_signing_key is false. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object publicKey: - description: The public key part the SSH CA key pair; required - if generate_signing_key is false. Public key part the SSH CA - key pair; required if generate_signing_key is false. + description: |- + The public key part the SSH CA key pair; required if generate_signing_key is false. + Public key part the SSH CA key pair; required if generate_signing_key is false. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -174,45 +370,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -222,21 +383,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -246,17 +407,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -266,21 +429,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -295,21 +458,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -320,14 +484,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -348,28 +513,39 @@ spec: atProvider: properties: backend: - description: The path where the SSH secret backend is mounted. - Defaults to 'ssh' The path of the SSH Secret Backend where the - CA should be configured + description: |- + The path where the SSH secret backend is mounted. Defaults to 'ssh' + The path of the SSH Secret Backend where the CA should be configured type: string generateSigningKey: - description: Whether Vault should generate the signing key pair - internally. Defaults to true Whether Vault should generate the - signing key pair internally. + description: |- + Whether Vault should generate the signing key pair internally. Defaults to true + Whether Vault should generate the signing key pair internally. type: boolean id: type: string + keyBits: + description: |- + Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. + Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`. + type: number + keyType: + description: |- + Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. + Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`. + type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string publicKey: - description: The public key part the SSH CA key pair; required - if generate_signing_key is false. Public key part the SSH CA - key pair; required if generate_signing_key is false. + description: |- + The public key part the SSH CA key pair; required if generate_signing_key is false. + Public key part the SSH CA key pair; required if generate_signing_key is false. type: string type: object conditions: @@ -378,14 +554,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -395,8 +580,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -405,6 +591,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml b/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml index 2391d922..b86af9dc 100644 --- a/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendroles.ssh.vault.upbound.io spec: group: ssh.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Managing roles in an SSH secret backend in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -100,7 +106,8 @@ spec: a host certificate. type: string allowedDomainsTemplate: - description: Specifies if allowed_domains can be declared using + description: |- + Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted. type: boolean allowedExtensions: @@ -108,39 +115,34 @@ spec: certificates can have when signed. type: string allowedUserKeyConfig: - description: Set of configuration blocks to define allowed user - key configuration, like key type and their lengths. Can be specified - multiple times. See Set of allowed public key types and their - relevant configuration + description: |- + Set of configuration blocks to define allowed + user key configuration, like key type and their lengths. Can be specified multiple times. + See + Set of allowed public key types and their relevant configuration items: properties: lengths: - description: A list of allowed key lengths as integers. - For key types that do not support setting the length a - value of [0] should be used. Setting multiple lengths - is only supported on Vault 1.10+. For prior releases length - must be set to a single element list. List of allowed - key lengths, vault-1.10 and above + description: |- + A list of allowed key lengths as integers. + For key types that do not support setting the length a value of [0] should be used. + Setting multiple lengths is only supported on Vault 1.10+. For prior releases length + must be set to a single element list. + List of allowed key lengths, vault-1.10 and above items: type: number type: array type: - description: 'The SSH public key type. Supported key types - are: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, + description: |- + The SSH public key type. + Supported key types are: + rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 - Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, - ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, - ecdsa-sha2-nistp521' + Key type, choices: + rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 type: string type: object type: array - allowedUserKeyLengths: - additionalProperties: - type: number - description: 'Specifies a map of ssh key types and their expected - sizes which are allowed to be signed by the CA type. Deprecated: - use allowed_user_key_config instead' - type: object allowedUsers: description: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. @@ -152,6 +154,80 @@ spec: backend: description: The path where the SSH secret backend is mounted. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object cidrList: description: The comma-separated string of CIDR blocks for which this role is applicable. @@ -162,12 +238,14 @@ spec: description: Specifies a map of critical options that certificates have when signed. type: object + x-kubernetes-map-type: granular defaultExtensions: additionalProperties: type: string description: Specifies a map of extensions that certificates have when signed. type: object + x-kubernetes-map-type: granular defaultUser: description: Specifies the default username for which a credential will be generated. @@ -188,38 +266,40 @@ spec: description: Specifies the maximum Time To Live value. type: string name: - description: Specifies the name of the role to create. Unique - name for the role. + description: |- + Specifies the name of the role to create. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string notBeforeDuration: - description: Specifies the duration by which to backdate the ValidAfter - property. Uses duration format strings. Specifies the duration - by which to backdate the ValidAfter property. Uses duration - format strings. + description: |- + Specifies the duration by which to backdate the ValidAfter property. + Uses duration format strings. + Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. type: string ttl: description: Specifies the Time To Live value. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: algorithmSigner: description: 'When supplied, this value specifies a signing algorithm @@ -254,7 +334,8 @@ spec: a host certificate. type: string allowedDomainsTemplate: - description: Specifies if allowed_domains can be declared using + description: |- + Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted. type: boolean allowedExtensions: @@ -262,39 +343,34 @@ spec: certificates can have when signed. type: string allowedUserKeyConfig: - description: Set of configuration blocks to define allowed user - key configuration, like key type and their lengths. Can be specified - multiple times. See Set of allowed public key types and their - relevant configuration + description: |- + Set of configuration blocks to define allowed + user key configuration, like key type and their lengths. Can be specified multiple times. + See + Set of allowed public key types and their relevant configuration items: properties: lengths: - description: A list of allowed key lengths as integers. - For key types that do not support setting the length a - value of [0] should be used. Setting multiple lengths - is only supported on Vault 1.10+. For prior releases length - must be set to a single element list. List of allowed - key lengths, vault-1.10 and above + description: |- + A list of allowed key lengths as integers. + For key types that do not support setting the length a value of [0] should be used. + Setting multiple lengths is only supported on Vault 1.10+. For prior releases length + must be set to a single element list. + List of allowed key lengths, vault-1.10 and above items: type: number type: array type: - description: 'The SSH public key type. Supported key types - are: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, + description: |- + The SSH public key type. + Supported key types are: + rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 - Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, - ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, - ecdsa-sha2-nistp521' + Key type, choices: + rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 type: string type: object type: array - allowedUserKeyLengths: - additionalProperties: - type: number - description: 'Specifies a map of ssh key types and their expected - sizes which are allowed to be signed by the CA type. Deprecated: - use allowed_user_key_config instead' - type: object allowedUsers: description: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. @@ -306,6 +382,80 @@ spec: backend: description: The path where the SSH secret backend is mounted. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object cidrList: description: The comma-separated string of CIDR blocks for which this role is applicable. @@ -316,12 +466,14 @@ spec: description: Specifies a map of critical options that certificates have when signed. type: object + x-kubernetes-map-type: granular defaultExtensions: additionalProperties: type: string description: Specifies a map of extensions that certificates have when signed. type: object + x-kubernetes-map-type: granular defaultUser: description: Specifies the default username for which a credential will be generated. @@ -342,21 +494,23 @@ spec: description: Specifies the maximum Time To Live value. type: string name: - description: Specifies the name of the role to create. Unique - name for the role. + description: |- + Specifies the name of the role to create. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string notBeforeDuration: - description: Specifies the duration by which to backdate the ValidAfter - property. Uses duration format strings. Specifies the duration - by which to backdate the ValidAfter property. Uses duration - format strings. + description: |- + Specifies the duration by which to backdate the ValidAfter property. + Uses duration format strings. + Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. type: string ttl: description: Specifies the Time To Live value. @@ -365,20 +519,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -391,9 +546,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -403,57 +559,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -463,17 +583,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -483,21 +605,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -512,21 +634,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -537,14 +660,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -560,18 +684,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: keyType is a required parameter + - message: spec.forProvider.keyType is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.keyType) - || has(self.initProvider.keyType)' - - message: name is a required parameter + || (has(self.initProvider) && has(self.initProvider.keyType))' + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: SecretBackendRoleStatus defines the observed state of SecretBackendRole. properties: @@ -610,7 +730,8 @@ spec: a host certificate. type: string allowedDomainsTemplate: - description: Specifies if allowed_domains can be declared using + description: |- + Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted. type: boolean allowedExtensions: @@ -618,39 +739,34 @@ spec: certificates can have when signed. type: string allowedUserKeyConfig: - description: Set of configuration blocks to define allowed user - key configuration, like key type and their lengths. Can be specified - multiple times. See Set of allowed public key types and their - relevant configuration + description: |- + Set of configuration blocks to define allowed + user key configuration, like key type and their lengths. Can be specified multiple times. + See + Set of allowed public key types and their relevant configuration items: properties: lengths: - description: A list of allowed key lengths as integers. - For key types that do not support setting the length a - value of [0] should be used. Setting multiple lengths - is only supported on Vault 1.10+. For prior releases length - must be set to a single element list. List of allowed - key lengths, vault-1.10 and above + description: |- + A list of allowed key lengths as integers. + For key types that do not support setting the length a value of [0] should be used. + Setting multiple lengths is only supported on Vault 1.10+. For prior releases length + must be set to a single element list. + List of allowed key lengths, vault-1.10 and above items: type: number type: array type: - description: 'The SSH public key type. Supported key types - are: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, + description: |- + The SSH public key type. + Supported key types are: + rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 - Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, - ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, - ecdsa-sha2-nistp521' + Key type, choices: + rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 type: string type: object type: array - allowedUserKeyLengths: - additionalProperties: - type: number - description: 'Specifies a map of ssh key types and their expected - sizes which are allowed to be signed by the CA type. Deprecated: - use allowed_user_key_config instead' - type: object allowedUsers: description: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. @@ -672,12 +788,14 @@ spec: description: Specifies a map of critical options that certificates have when signed. type: object + x-kubernetes-map-type: granular defaultExtensions: additionalProperties: type: string description: Specifies a map of extensions that certificates have when signed. type: object + x-kubernetes-map-type: granular defaultUser: description: Specifies the default username for which a credential will be generated. @@ -700,21 +818,23 @@ spec: description: Specifies the maximum Time To Live value. type: string name: - description: Specifies the name of the role to create. Unique - name for the role. + description: |- + Specifies the name of the role to create. + Unique name for the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string notBeforeDuration: - description: Specifies the duration by which to backdate the ValidAfter - property. Uses duration format strings. Specifies the duration - by which to backdate the ValidAfter property. Uses duration - format strings. + description: |- + Specifies the duration by which to backdate the ValidAfter property. + Uses duration format strings. + Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. type: string ttl: description: Specifies the Time To Live value. @@ -726,14 +846,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -743,8 +872,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -753,6 +883,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml b/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml index efac628e..8d1b2b1f 100644 --- a/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml +++ b/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: cloudsecretbackends.terraform.vault.upbound.io spec: group: terraform.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,7 +74,9 @@ spec: forProvider: properties: address: - description: 0.0.1:8500". + description: |- + The default is + https://app.0.0.1:8500". type: string backend: description: The unique location this backend should be mounted @@ -77,29 +85,34 @@ spec: basePath: type: string defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string tokenSecretRef: description: A SecretKeySelector is a reference to a secret key @@ -121,20 +134,22 @@ spec: type: object type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: address: - description: 0.0.1:8500". + description: |- + The default is + https://app.0.0.1:8500". type: string backend: description: The unique location this backend should be mounted @@ -143,48 +158,72 @@ spec: basePath: type: string defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string + tokenSecretRef: + description: A SecretKeySelector is a reference to a secret key + in an arbitrary namespace. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -197,45 +236,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -245,21 +249,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -269,17 +273,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -289,21 +295,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -318,21 +324,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -343,14 +350,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -371,7 +379,9 @@ spec: atProvider: properties: address: - description: 0.0.1:8500". + description: |- + The default is + https://app.0.0.1:8500". type: string backend: description: The unique location this backend should be mounted @@ -380,31 +390,36 @@ spec: basePath: type: string defaultLeaseTtlSeconds: - description: The default TTL for credentials issued by this backend. + description: |- + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds type: number description: - description: A human-friendly description for this backend. Human-friendly - description of the mount for the backend. + description: |- + A human-friendly description for this backend. + Human-friendly description of the mount for the backend. type: string disableRemount: - description: If set, opts out of mount migration on path updates. - See here for more info on Mount Migration If set, opts out of - mount migration on path updates. + description: |- + If set, opts out of mount migration on path updates. + See here for more info on Mount Migration + If set, opts out of mount migration on path updates. type: boolean id: type: string maxLeaseTtlSeconds: - description: The maximum TTL that can be requested for credentials - issued by this backend. Maximum possible lease duration for - secrets in seconds + description: |- + The maximum TTL that can be requested + for credentials issued by this backend. + Maximum possible lease duration for secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: object conditions: @@ -413,14 +428,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -430,8 +454,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -440,6 +465,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/terraform.vault.upbound.io_cloudsecretcreds.yaml b/package/crds/terraform.vault.upbound.io_cloudsecretcreds.yaml index e9cf486f..e84586e9 100644 --- a/package/crds/terraform.vault.upbound.io_cloudsecretcreds.yaml +++ b/package/crds/terraform.vault.upbound.io_cloudsecretcreds.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: cloudsecretcreds.terraform.vault.upbound.io spec: group: terraform.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -37,14 +37,19 @@ spec: description: CloudSecretCreds is the Schema for the CloudSecretCredss API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,13 +58,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -67,69 +73,376 @@ spec: forProvider: properties: backend: - description: the path to the Upbound official provider cloud secret - backend to read credentials from, with no leading or trailing - /s. Upbound official provider cloud secret backend to generate - tokens from + description: |- + the path to the provider cloud secret backend to + read credentials from, with no leading or trailing /s. + provider cloud secret backend to generate tokens from type: string + backendRef: + description: Reference to a CloudSecretBackend in terraform to + populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a CloudSecretBackend in terraform to + populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: description: Name of the role. type: string + roleRef: + description: Reference to a CloudSecretRole in terraform to populate + role. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleSelector: + description: Selector for a CloudSecretRole in terraform to populate + role. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: - description: the path to the Upbound official provider cloud secret - backend to read credentials from, with no leading or trailing - /s. Upbound official provider cloud secret backend to generate - tokens from + description: |- + the path to the provider cloud secret backend to + read credentials from, with no leading or trailing /s. + provider cloud secret backend to generate tokens from type: string + backendRef: + description: Reference to a CloudSecretBackend in terraform to + populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a CloudSecretBackend in terraform to + populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string role: description: Name of the role. type: string + roleRef: + description: Reference to a CloudSecretRole in terraform to populate + role. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + roleSelector: + description: Selector for a CloudSecretRole in terraform to populate + role. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -142,45 +455,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -190,21 +468,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -214,17 +492,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -234,21 +514,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -263,21 +543,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -288,14 +569,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -310,34 +592,26 @@ spec: required: - forProvider type: object - x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: role is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.role) - || has(self.initProvider.role)' status: description: CloudSecretCredsStatus defines the observed state of CloudSecretCreds. properties: atProvider: properties: backend: - description: the path to the Upbound official provider cloud secret - backend to read credentials from, with no leading or trailing - /s. Upbound official provider cloud secret backend to generate - tokens from + description: |- + the path to the provider cloud secret backend to + read credentials from, with no leading or trailing /s. + provider cloud secret backend to generate tokens from type: string id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: description: The organization associated with the token provided @@ -350,9 +624,9 @@ spec: settings/teams/team-xxxxxxxxxxxxx) type: string tokenId: - description: The public identifier for a specific token. It can - be used to look up information about a token or to revoke a - token + description: |- + The public identifier for a specific token. It can be used + to look up information about a token or to revoke a token type: string type: object conditions: @@ -361,14 +635,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -378,8 +661,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -388,6 +672,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/terraform.vault.upbound.io_cloudsecretroles.yaml b/package/crds/terraform.vault.upbound.io_cloudsecretroles.yaml index f7656795..43a41228 100644 --- a/package/crds/terraform.vault.upbound.io_cloudsecretroles.yaml +++ b/package/crds/terraform.vault.upbound.io_cloudsecretroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: cloudsecretroles.terraform.vault.upbound.io spec: group: terraform.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -37,14 +37,19 @@ spec: description: CloudSecretRole is the Schema for the CloudSecretRoles API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,13 +58,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -69,85 +75,239 @@ spec: backend: description: Must not begin or end with a /. type: string + backendRef: + description: Reference to a CloudSecretBackend in terraform to + populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a CloudSecretBackend in terraform to + populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object maxTtl: - description: Maximum TTL for leases associated with this role, - in seconds. Maximum allowed lease for generated credentials. - If not set or set to 0, will use system default. + description: |- + Maximum TTL for leases associated with this role, in seconds. + Maximum allowed lease for generated credentials. If not set or set to 0, will use system default. type: number name: - description: the name of the Upbound official provider cloud secrets - engine role to create. the name of an existing role against - which to create this Upbound official provider cloud credential + description: |- + the name of the provider cloud secrets engine role to create. + the name of an existing role against which to create this provider cloud credential type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: the organization name managing your Upbound official - provider cloud instance. name of the Upbound official provider - cloud or enterprise organization + description: |- + the organization name managing your provider cloud instance. + name of the provider cloud or enterprise organization type: string teamId: description: g., settings/teams/team-xxxxxxxxxxxxx) type: string ttl: - description: Specifies the TTL for this role. Default lease for - generated credentials. If not set or set to 0, will use system - default. + description: |- + Specifies the TTL for this role. + Default lease for generated credentials. If not set or set to 0, will use system default. type: number userId: description: g., user-xxxxxxxxxxxxxxxx) type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: backend: description: Must not begin or end with a /. type: string + backendRef: + description: Reference to a CloudSecretBackend in terraform to + populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a CloudSecretBackend in terraform to + populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object maxTtl: - description: Maximum TTL for leases associated with this role, - in seconds. Maximum allowed lease for generated credentials. - If not set or set to 0, will use system default. + description: |- + Maximum TTL for leases associated with this role, in seconds. + Maximum allowed lease for generated credentials. If not set or set to 0, will use system default. type: number name: - description: the name of the Upbound official provider cloud secrets - engine role to create. the name of an existing role against - which to create this Upbound official provider cloud credential + description: |- + the name of the provider cloud secrets engine role to create. + the name of an existing role against which to create this provider cloud credential type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: the organization name managing your Upbound official - provider cloud instance. name of the Upbound official provider - cloud or enterprise organization + description: |- + the organization name managing your provider cloud instance. + name of the provider cloud or enterprise organization type: string teamId: description: g., settings/teams/team-xxxxxxxxxxxxx) type: string ttl: - description: Specifies the TTL for this role. Default lease for - generated credentials. If not set or set to 0, will use system - default. + description: |- + Specifies the TTL for this role. + Default lease for generated credentials. If not set or set to 0, will use system default. type: number userId: description: g., user-xxxxxxxxxxxxxxxx) @@ -156,20 +316,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -182,45 +343,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -230,21 +356,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -254,17 +380,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -274,21 +402,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -303,21 +431,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -328,14 +457,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -351,10 +481,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: CloudSecretRoleStatus defines the observed state of CloudSecretRole. properties: @@ -366,34 +496,35 @@ spec: id: type: string maxTtl: - description: Maximum TTL for leases associated with this role, - in seconds. Maximum allowed lease for generated credentials. - If not set or set to 0, will use system default. + description: |- + Maximum TTL for leases associated with this role, in seconds. + Maximum allowed lease for generated credentials. If not set or set to 0, will use system default. type: number name: - description: the name of the Upbound official provider cloud secrets - engine role to create. the name of an existing role against - which to create this Upbound official provider cloud credential + description: |- + the name of the provider cloud secrets engine role to create. + the name of an existing role against which to create this provider cloud credential type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string organization: - description: the organization name managing your Upbound official - provider cloud instance. name of the Upbound official provider - cloud or enterprise organization + description: |- + the organization name managing your provider cloud instance. + name of the provider cloud or enterprise organization type: string teamId: description: g., settings/teams/team-xxxxxxxxxxxxx) type: string ttl: - description: Specifies the TTL for this role. Default lease for - generated credentials. If not set or set to 0, will use system - default. + description: |- + Specifies the TTL for this role. + Default lease for generated credentials. If not set or set to 0, will use system default. type: number userId: description: g., user-xxxxxxxxxxxxxxxx) @@ -405,14 +536,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -422,8 +562,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -432,6 +573,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/token.vault.upbound.io_authbackendroles.yaml b/package/crds/token.vault.upbound.io_authbackendroles.yaml index cdb25e77..2933517f 100644 --- a/package/crds/token.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/token.vault.upbound.io_authbackendroles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: authbackendroles.token.vault.upbound.io spec: group: token.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Token auth backend roles in Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,96 +74,115 @@ spec: forProvider: properties: allowedEntityAliases: - description: List of allowed entity aliases. Set of allowed entity - aliases for this role. + description: |- + List of allowed entity aliases. + Set of allowed entity aliases for this role. items: type: string type: array + x-kubernetes-list-type: set allowedPolicies: - description: List of allowed policies for given role. List of - allowed policies for given role. + description: |- + List of allowed policies for given role. + List of allowed policies for given role. items: type: string type: array + x-kubernetes-list-type: set allowedPoliciesGlob: - description: Set of allowed policies with glob match for given - role. Set of allowed policies with glob match for given role. + description: |- + Set of allowed policies with glob match for given role. + Set of allowed policies with glob match for given role. items: type: string type: array + x-kubernetes-list-type: set disallowedPolicies: - description: List of disallowed policies for given role. List - of disallowed policies for given role. + description: |- + List of disallowed policies for given role. + List of disallowed policies for given role. items: type: string type: array + x-kubernetes-list-type: set disallowedPoliciesGlob: - description: Set of disallowed policies with glob match for given - role. Set of disallowed policies with glob match for given role. + description: |- + Set of disallowed policies with glob match for given role. + Set of disallowed policies with glob match for given role. items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string orphan: - description: If true, tokens created against this policy will - be orphan tokens. If true, tokens created against this policy - will be orphan tokens. + description: |- + If true, tokens created against this policy will be orphan tokens. + If true, tokens created against this policy will be orphan tokens. type: boolean pathSuffix: - description: Tokens created against this role will have the given - suffix as part of their path in addition to the role name. Tokens - created against this role will have the given suffix as part - of their path in addition to the role name. + description: |- + Tokens created against this role will have the given suffix as part of their path in addition to the role name. + Tokens created against this role will have the given suffix as part of their path in addition to the role name. type: string renewable: - description: Whether to disable the ability of the token to be - renewed past its initial TTL. Whether to disable the ability - of the token to be renewed past its initial TTL. + description: |- + Whether to disable the ability of the token to be renewed past its initial TTL. + Whether to disable the ability of the token to be renewed past its initial TTL. type: boolean roleName: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: @@ -165,125 +190,146 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowedEntityAliases: - description: List of allowed entity aliases. Set of allowed entity - aliases for this role. + description: |- + List of allowed entity aliases. + Set of allowed entity aliases for this role. items: type: string type: array + x-kubernetes-list-type: set allowedPolicies: - description: List of allowed policies for given role. List of - allowed policies for given role. + description: |- + List of allowed policies for given role. + List of allowed policies for given role. items: type: string type: array + x-kubernetes-list-type: set allowedPoliciesGlob: - description: Set of allowed policies with glob match for given - role. Set of allowed policies with glob match for given role. + description: |- + Set of allowed policies with glob match for given role. + Set of allowed policies with glob match for given role. items: type: string type: array + x-kubernetes-list-type: set disallowedPolicies: - description: List of disallowed policies for given role. List - of disallowed policies for given role. + description: |- + List of disallowed policies for given role. + List of disallowed policies for given role. items: type: string type: array + x-kubernetes-list-type: set disallowedPoliciesGlob: - description: Set of disallowed policies with glob match for given - role. Set of disallowed policies with glob match for given role. + description: |- + Set of disallowed policies with glob match for given role. + Set of disallowed policies with glob match for given role. items: type: string type: array + x-kubernetes-list-type: set namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string orphan: - description: If true, tokens created against this policy will - be orphan tokens. If true, tokens created against this policy - will be orphan tokens. + description: |- + If true, tokens created against this policy will be orphan tokens. + If true, tokens created against this policy will be orphan tokens. type: boolean pathSuffix: - description: Tokens created against this role will have the given - suffix as part of their path in addition to the role name. Tokens - created against this role will have the given suffix as part - of their path in addition to the role name. + description: |- + Tokens created against this role will have the given suffix as part of their path in addition to the role name. + Tokens created against this role will have the given suffix as part of their path in addition to the role name. type: string renewable: - description: Whether to disable the ability of the token to be - renewed past its initial TTL. Whether to disable the ability - of the token to be renewed past its initial TTL. + description: |- + Whether to disable the ability of the token to be renewed past its initial TTL. + Whether to disable the ability of the token to be renewed past its initial TTL. type: boolean roleName: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: @@ -291,38 +337,41 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -335,45 +384,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -383,21 +397,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -407,17 +421,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -427,21 +443,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -456,21 +472,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -481,14 +498,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -504,108 +522,127 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: roleName is a required parameter + - message: spec.forProvider.roleName is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.roleName) - || has(self.initProvider.roleName)' + || (has(self.initProvider) && has(self.initProvider.roleName))' status: description: AuthBackendRoleStatus defines the observed state of AuthBackendRole. properties: atProvider: properties: allowedEntityAliases: - description: List of allowed entity aliases. Set of allowed entity - aliases for this role. + description: |- + List of allowed entity aliases. + Set of allowed entity aliases for this role. items: type: string type: array + x-kubernetes-list-type: set allowedPolicies: - description: List of allowed policies for given role. List of - allowed policies for given role. + description: |- + List of allowed policies for given role. + List of allowed policies for given role. items: type: string type: array + x-kubernetes-list-type: set allowedPoliciesGlob: - description: Set of allowed policies with glob match for given - role. Set of allowed policies with glob match for given role. + description: |- + Set of allowed policies with glob match for given role. + Set of allowed policies with glob match for given role. items: type: string type: array + x-kubernetes-list-type: set disallowedPolicies: - description: List of disallowed policies for given role. List - of disallowed policies for given role. + description: |- + List of disallowed policies for given role. + List of disallowed policies for given role. items: type: string type: array + x-kubernetes-list-type: set disallowedPoliciesGlob: - description: Set of disallowed policies with glob match for given - role. Set of disallowed policies with glob match for given role. + description: |- + Set of disallowed policies with glob match for given role. + Set of disallowed policies with glob match for given role. items: type: string type: array + x-kubernetes-list-type: set id: type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string orphan: - description: If true, tokens created against this policy will - be orphan tokens. If true, tokens created against this policy - will be orphan tokens. + description: |- + If true, tokens created against this policy will be orphan tokens. + If true, tokens created against this policy will be orphan tokens. type: boolean pathSuffix: - description: Tokens created against this role will have the given - suffix as part of their path in addition to the role name. Tokens - created against this role will have the given suffix as part - of their path in addition to the role name. + description: |- + Tokens created against this role will have the given suffix as part of their path in addition to the role name. + Tokens created against this role will have the given suffix as part of their path in addition to the role name. type: string renewable: - description: Whether to disable the ability of the token to be - renewed past its initial TTL. Whether to disable the ability - of the token to be renewed past its initial TTL. + description: |- + Whether to disable the ability of the token to be renewed past its initial TTL. + Whether to disable the ability of the token to be renewed past its initial TTL. type: boolean roleName: - description: The name of the role. Name of the role. + description: |- + The name of the role. + Name of the role. type: string tokenBoundCidrs: - description: List of CIDR blocks; if set, specifies blocks of - IP addresses which can authenticate successfully, and ties the - resulting token to these blocks as well. Specifies the blocks - of IP addresses which are allowed to use the generated token + description: |- + List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + Specifies the blocks of IP addresses which are allowed to use the generated token items: type: string type: array + x-kubernetes-list-type: set tokenExplicitMaxTtl: - description: If set, will encode an explicit max TTL onto the - token in number of seconds. This is a hard cap even if token_ttl - and token_max_ttl would otherwise allow a renewal. Generated - Token's Explicit Maximum TTL in seconds + description: |- + If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + Generated Token's Explicit Maximum TTL in seconds type: number tokenMaxTtl: - description: The maximum lifetime for generated tokens in number - of seconds. Its current value will be referenced at renewal - time. The maximum lifetime of the generated token + description: |- + The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The maximum lifetime of the generated token type: number tokenNoDefaultPolicy: - description: If set, the default policy will not be set on generated - tokens; otherwise it will be added to the policies set in token_policies. - If true, the 'default' policy will not automatically be added - to generated tokens + description: |- + If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + If true, the 'default' policy will not automatically be added to generated tokens type: boolean tokenNumUses: - description: The maximum number of times a generated token may - be used (within its lifetime); 0 means unlimited. The maximum - number of times a token may be used, a value of zero means unlimited + description: |- + The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + The maximum number of times a token may be used, a value of zero means unlimited type: number tokenPeriod: - description: If set, indicates that the token generated using - this role should never expire. The token should be renewed within - the duration specified by this value. At each renewal, the token's - TTL will be set to the value of this field. Specified in seconds. + description: |- + If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. Generated Token's Period type: number tokenPolicies: @@ -613,19 +650,21 @@ spec: items: type: string type: array + x-kubernetes-list-type: set tokenTtl: - description: The incremental lifetime for generated tokens in - number of seconds. Its current value will be referenced at renewal - time. The initial ttl of the token to generate in seconds + description: |- + The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + The initial ttl of the token to generate in seconds type: number tokenType: - description: 'The type of token that should be generated. Can - be service, batch, or default to use the mount''s tuned default - (which unless changed will be service tokens). For token store - roles, there are two additional possibilities: default-service - and default-batch which specify the type to return unless the - client requests a different type at generation time. The type - of token to generate, service or batch' + description: |- + The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + The type of token to generate, service or batch type: string type: object conditions: @@ -634,14 +673,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -651,8 +699,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -661,6 +710,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/transform.vault.upbound.io_alphabets.yaml b/package/crds/transform.vault.upbound.io_alphabets.yaml index 45b3a206..c2532694 100644 --- a/package/crds/transform.vault.upbound.io_alphabets.yaml +++ b/package/crds/transform.vault.upbound.io_alphabets.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: alphabets.transform.vault.upbound.io spec: group: transform.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -37,14 +37,19 @@ spec: description: Alphabet is the Schema for the Alphabets API. "/transform/alphabet/{name}" properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,13 +58,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -67,75 +73,232 @@ spec: forProvider: properties: alphabet: - description: A string of characters that contains the alphabet - set. A string of characters that contains the alphabet set. + description: |- + A string of characters that contains the alphabet set. + A string of characters that contains the alphabet set. type: string name: - description: The name of the alphabet. The name of the alphabet. + description: |- + The name of the alphabet. + The name of the alphabet. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string + pathRef: + description: Reference to a Mount in vault to populate path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a Mount in vault to populate path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: alphabet: - description: A string of characters that contains the alphabet - set. A string of characters that contains the alphabet set. + description: |- + A string of characters that contains the alphabet set. + A string of characters that contains the alphabet set. type: string name: - description: The name of the alphabet. The name of the alphabet. + description: |- + The name of the alphabet. + The name of the alphabet. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string + pathRef: + description: Reference to a Mount in vault to populate path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a Mount in vault to populate path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -148,9 +311,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -160,57 +324,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -220,17 +348,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -240,21 +370,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -269,21 +399,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -294,14 +425,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -317,39 +449,39 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: path is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: AlphabetStatus defines the observed state of Alphabet. properties: atProvider: properties: alphabet: - description: A string of characters that contains the alphabet - set. A string of characters that contains the alphabet set. + description: |- + A string of characters that contains the alphabet set. + A string of characters that contains the alphabet set. type: string id: type: string name: - description: The name of the alphabet. The name of the alphabet. + description: |- + The name of the alphabet. + The name of the alphabet. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string type: object conditions: @@ -358,14 +490,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -375,8 +516,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -385,6 +527,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/transform.vault.upbound.io_roles.yaml b/package/crds/transform.vault.upbound.io_roles.yaml index 1b663c70..7bbc4796 100644 --- a/package/crds/transform.vault.upbound.io_roles.yaml +++ b/package/crds/transform.vault.upbound.io_roles.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: roles.transform.vault.upbound.io spec: group: transform.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -37,14 +37,19 @@ spec: description: Role is the Schema for the Roles API. "/transform/role/{name}" properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,13 +58,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -67,60 +73,214 @@ spec: forProvider: properties: name: - description: The name of the role. The name of the role. + description: |- + The name of the role. + The name of the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string + pathRef: + description: Reference to a Mount in vault to populate path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a Mount in vault to populate path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object transformations: - description: A comma separated string or slice of transformations - to use. A comma separated string or slice of transformations - to use. + description: |- + A comma separated string or slice of transformations to use. + A comma separated string or slice of transformations to use. items: type: string type: array type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: name: - description: The name of the role. The name of the role. + description: |- + The name of the role. + The name of the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string + pathRef: + description: Reference to a Mount in vault to populate path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a Mount in vault to populate path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object transformations: - description: A comma separated string or slice of transformations - to use. A comma separated string or slice of transformations - to use. + description: |- + A comma separated string or slice of transformations to use. + A comma separated string or slice of transformations to use. items: type: string type: array @@ -128,20 +288,21 @@ spec: managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -154,9 +315,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -166,57 +328,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -226,17 +352,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -246,21 +374,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -275,21 +403,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -300,14 +429,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -323,14 +453,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: path is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: RoleStatus defines the observed state of Role. properties: @@ -339,24 +465,27 @@ spec: id: type: string name: - description: The name of the role. The name of the role. + description: |- + The name of the role. + The name of the role. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string transformations: - description: A comma separated string or slice of transformations - to use. A comma separated string or slice of transformations - to use. + description: |- + A comma separated string or slice of transformations to use. + A comma separated string or slice of transformations to use. items: type: string type: array @@ -367,14 +496,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -384,8 +522,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -394,6 +533,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/transform.vault.upbound.io_templates.yaml b/package/crds/transform.vault.upbound.io_templates.yaml index 978c60ac..08ff58cd 100644 --- a/package/crds/transform.vault.upbound.io_templates.yaml +++ b/package/crds/transform.vault.upbound.io_templates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: templates.transform.vault.upbound.io spec: group: transform.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -37,14 +37,19 @@ spec: description: Template is the Schema for the Templates API. "/transform/template/{name}" properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,13 +58,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -67,125 +73,290 @@ spec: forProvider: properties: alphabet: - description: The alphabet to use for this template. This is only - used during FPE transformations. The alphabet to use for this - template. This is only used during FPE transformations. + description: |- + The alphabet to use for this template. This is only used during FPE transformations. + The alphabet to use for this template. This is only used during FPE transformations. type: string decodeFormats: additionalProperties: type: string - description: '- Optional mapping of name to regular expression - template, used to customize the decoded output. (requires Vault - Enterprise 1.9+) The map of regular expression templates used - to customize decoded outputs. Only applicable to FPE transformations.' + description: |- + - Optional mapping of name to regular expression template, used to customize + the decoded output. (requires Vault Enterprise 1.9+) + The map of regular expression templates used to customize decoded outputs. + Only applicable to FPE transformations. type: object + x-kubernetes-map-type: granular encodeFormat: - description: '- The regular expression template used to format - encoded values. (requires Vault Enterprise 1.9+) The regular - expression template used for encoding values. Only applicable - to FPE transformations.' + description: |- + - The regular expression template used to format encoded values. + (requires Vault Enterprise 1.9+) + The regular expression template used for encoding values. + Only applicable to FPE transformations. type: string name: - description: The name of the template. The name of the template. + description: |- + The name of the template. + The name of the template. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string + pathRef: + description: Reference to a Alphabet in transform to populate + path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a Alphabet in transform to populate + path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object pattern: - description: The pattern used for matching. Currently, only regular - expression pattern is supported. The pattern used for matching. - Currently, only regular expression pattern is supported. + description: |- + The pattern used for matching. Currently, only regular expression pattern is supported. + The pattern used for matching. Currently, only regular expression pattern is supported. type: string type: - description: The pattern type to use for match detection. Currently, - only regex is supported. The pattern type to use for match detection. - Currently, only regex is supported. + description: |- + The pattern type to use for match detection. Currently, only regex is supported. + The pattern type to use for match detection. Currently, only regex is supported. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: alphabet: - description: The alphabet to use for this template. This is only - used during FPE transformations. The alphabet to use for this - template. This is only used during FPE transformations. + description: |- + The alphabet to use for this template. This is only used during FPE transformations. + The alphabet to use for this template. This is only used during FPE transformations. type: string decodeFormats: additionalProperties: type: string - description: '- Optional mapping of name to regular expression - template, used to customize the decoded output. (requires Vault - Enterprise 1.9+) The map of regular expression templates used - to customize decoded outputs. Only applicable to FPE transformations.' + description: |- + - Optional mapping of name to regular expression template, used to customize + the decoded output. (requires Vault Enterprise 1.9+) + The map of regular expression templates used to customize decoded outputs. + Only applicable to FPE transformations. type: object + x-kubernetes-map-type: granular encodeFormat: - description: '- The regular expression template used to format - encoded values. (requires Vault Enterprise 1.9+) The regular - expression template used for encoding values. Only applicable - to FPE transformations.' + description: |- + - The regular expression template used to format encoded values. + (requires Vault Enterprise 1.9+) + The regular expression template used for encoding values. + Only applicable to FPE transformations. type: string name: - description: The name of the template. The name of the template. + description: |- + The name of the template. + The name of the template. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string + pathRef: + description: Reference to a Alphabet in transform to populate + path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a Alphabet in transform to populate + path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object pattern: - description: The pattern used for matching. Currently, only regular - expression pattern is supported. The pattern used for matching. - Currently, only regular expression pattern is supported. + description: |- + The pattern used for matching. Currently, only regular expression pattern is supported. + The pattern used for matching. Currently, only regular expression pattern is supported. type: string type: - description: The pattern type to use for match detection. Currently, - only regex is supported. The pattern type to use for match detection. - Currently, only regex is supported. + description: |- + The pattern type to use for match detection. Currently, only regex is supported. + The pattern type to use for match detection. Currently, only regex is supported. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -198,9 +369,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -210,57 +382,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -270,17 +406,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -290,21 +428,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -319,21 +457,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -344,14 +483,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -367,64 +507,66 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: path is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: TemplateStatus defines the observed state of Template. properties: atProvider: properties: alphabet: - description: The alphabet to use for this template. This is only - used during FPE transformations. The alphabet to use for this - template. This is only used during FPE transformations. + description: |- + The alphabet to use for this template. This is only used during FPE transformations. + The alphabet to use for this template. This is only used during FPE transformations. type: string decodeFormats: additionalProperties: type: string - description: '- Optional mapping of name to regular expression - template, used to customize the decoded output. (requires Vault - Enterprise 1.9+) The map of regular expression templates used - to customize decoded outputs. Only applicable to FPE transformations.' + description: |- + - Optional mapping of name to regular expression template, used to customize + the decoded output. (requires Vault Enterprise 1.9+) + The map of regular expression templates used to customize decoded outputs. + Only applicable to FPE transformations. type: object + x-kubernetes-map-type: granular encodeFormat: - description: '- The regular expression template used to format - encoded values. (requires Vault Enterprise 1.9+) The regular - expression template used for encoding values. Only applicable - to FPE transformations.' + description: |- + - The regular expression template used to format encoded values. + (requires Vault Enterprise 1.9+) + The regular expression template used for encoding values. + Only applicable to FPE transformations. type: string id: type: string name: - description: The name of the template. The name of the template. + description: |- + The name of the template. + The name of the template. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string pattern: - description: The pattern used for matching. Currently, only regular - expression pattern is supported. The pattern used for matching. - Currently, only regular expression pattern is supported. + description: |- + The pattern used for matching. Currently, only regular expression pattern is supported. + The pattern used for matching. Currently, only regular expression pattern is supported. type: string type: - description: The pattern type to use for match detection. Currently, - only regex is supported. The pattern type to use for match detection. - Currently, only regex is supported. + description: |- + The pattern type to use for match detection. Currently, only regex is supported. + The pattern type to use for match detection. Currently, only regex is supported. type: string type: object conditions: @@ -433,14 +575,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -450,8 +601,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -460,6 +612,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/transform.vault.upbound.io_transformations.yaml b/package/crds/transform.vault.upbound.io_transformations.yaml index 9c4fdec7..dd43f100 100644 --- a/package/crds/transform.vault.upbound.io_transformations.yaml +++ b/package/crds/transform.vault.upbound.io_transformations.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: transformations.transform.vault.upbound.io spec: group: transform.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -37,14 +37,19 @@ spec: description: Transformation is the Schema for the Transformations API. "/transform/transformation/{name}" properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,13 +58,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -67,139 +73,304 @@ spec: forProvider: properties: allowedRoles: - description: The set of roles allowed to perform this transformation. + description: |- + The set of roles allowed to perform this transformation. The set of roles allowed to perform this transformation. items: type: string type: array deletionAllowed: - description: 'If true, this transform can be deleted. Otherwise, - deletion is blocked while this value remains false. Default: - false Only supported on vault-1.12+ If true, this transform - can be deleted. Otherwise deletion is blocked while this value - remains false.' + description: |- + If true, this transform can be deleted. + Otherwise, deletion is blocked while this value remains false. Default: false + Only supported on vault-1.12+ + If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false. type: boolean maskingCharacter: - description: The character used to replace data when in masking - mode The character used to replace data when in masking mode + description: |- + The character used to replace data when in masking mode + The character used to replace data when in masking mode type: string name: - description: The name of the transformation. The name of the transformation. + description: |- + The name of the transformation. + The name of the transformation. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string + pathRef: + description: Reference to a Mount in vault to populate path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a Mount in vault to populate path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object template: - description: The name of the template to use. The name of the - template to use. + description: |- + The name of the template to use. + The name of the template to use. type: string templates: - description: Templates configured for transformation. Templates - configured for transformation. + description: |- + Templates configured for transformation. + Templates configured for transformation. items: type: string type: array tweakSource: - description: The source of where the tweak value comes from. Only - valid when in FPE mode. The source of where the tweak value - comes from. Only valid when in FPE mode. + description: |- + The source of where the tweak value comes from. Only valid when in FPE mode. + The source of where the tweak value comes from. Only valid when in FPE mode. type: string type: - description: The type of transformation to perform. The type of - transformation to perform. + description: |- + The type of transformation to perform. + The type of transformation to perform. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowedRoles: - description: The set of roles allowed to perform this transformation. + description: |- + The set of roles allowed to perform this transformation. The set of roles allowed to perform this transformation. items: type: string type: array deletionAllowed: - description: 'If true, this transform can be deleted. Otherwise, - deletion is blocked while this value remains false. Default: - false Only supported on vault-1.12+ If true, this transform - can be deleted. Otherwise deletion is blocked while this value - remains false.' + description: |- + If true, this transform can be deleted. + Otherwise, deletion is blocked while this value remains false. Default: false + Only supported on vault-1.12+ + If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false. type: boolean maskingCharacter: - description: The character used to replace data when in masking - mode The character used to replace data when in masking mode + description: |- + The character used to replace data when in masking mode + The character used to replace data when in masking mode type: string name: - description: The name of the transformation. The name of the transformation. + description: |- + The name of the transformation. + The name of the transformation. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string + pathRef: + description: Reference to a Mount in vault to populate path. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + pathSelector: + description: Selector for a Mount in vault to populate path. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object template: - description: The name of the template to use. The name of the - template to use. + description: |- + The name of the template to use. + The name of the template to use. type: string templates: - description: Templates configured for transformation. Templates - configured for transformation. + description: |- + Templates configured for transformation. + Templates configured for transformation. items: type: string type: array tweakSource: - description: The source of where the tweak value comes from. Only - valid when in FPE mode. The source of where the tweak value - comes from. Only valid when in FPE mode. + description: |- + The source of where the tweak value comes from. Only valid when in FPE mode. + The source of where the tweak value comes from. Only valid when in FPE mode. type: string type: - description: The type of transformation to perform. The type of - transformation to perform. + description: |- + The type of transformation to perform. + The type of transformation to perform. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -212,45 +383,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -260,21 +396,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -284,17 +420,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -304,21 +442,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -333,21 +471,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -358,14 +497,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -381,71 +521,75 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: path is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: TransformationStatus defines the observed state of Transformation. properties: atProvider: properties: allowedRoles: - description: The set of roles allowed to perform this transformation. + description: |- + The set of roles allowed to perform this transformation. The set of roles allowed to perform this transformation. items: type: string type: array deletionAllowed: - description: 'If true, this transform can be deleted. Otherwise, - deletion is blocked while this value remains false. Default: - false Only supported on vault-1.12+ If true, this transform - can be deleted. Otherwise deletion is blocked while this value - remains false.' + description: |- + If true, this transform can be deleted. + Otherwise, deletion is blocked while this value remains false. Default: false + Only supported on vault-1.12+ + If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false. type: boolean id: type: string maskingCharacter: - description: The character used to replace data when in masking - mode The character used to replace data when in masking mode + description: |- + The character used to replace data when in masking mode + The character used to replace data when in masking mode type: string name: - description: The name of the transformation. The name of the transformation. + description: |- + The name of the transformation. + The name of the transformation. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string path: - description: Path to where the back-end is mounted within Vault. - The mount path for a back-end, for example, the path given in - "$ vault auth enable -path=my-aws aws". + description: |- + Path to where the back-end is mounted within Vault. + The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". type: string template: - description: The name of the template to use. The name of the - template to use. + description: |- + The name of the template to use. + The name of the template to use. type: string templates: - description: Templates configured for transformation. Templates - configured for transformation. + description: |- + Templates configured for transformation. + Templates configured for transformation. items: type: string type: array tweakSource: - description: The source of where the tweak value comes from. Only - valid when in FPE mode. The source of where the tweak value - comes from. Only valid when in FPE mode. + description: |- + The source of where the tweak value comes from. Only valid when in FPE mode. + The source of where the tweak value comes from. Only valid when in FPE mode. type: string type: - description: The type of transformation to perform. The type of - transformation to perform. + description: |- + The type of transformation to perform. + The type of transformation to perform. type: string type: object conditions: @@ -454,14 +598,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -471,8 +624,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -481,6 +635,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml b/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml index 5f1c7a61..08b9ff7e 100644 --- a/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml +++ b/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretbackendkeys.transit.vault.upbound.io spec: group: transit.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: Create an Encryption Keyring on a Transit Secret Backend for Vault. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,205 +74,324 @@ spec: forProvider: properties: allowPlaintextBackup: - description: Enables taking backup of entire keyring in the plaintext - format. Once set, this cannot be disabled. If set, enables taking - backup of named key in the plaintext format. Once set, this - cannot be disabled. + description: |- + Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. + If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled. type: boolean - autoRotateInterval: - description: Replaced by auto_rotate_period. Amount of time the - key should live before being automatically rotated. A value - of 0 disables automatic rotation for the key. - type: number autoRotatePeriod: - description: Amount of seconds the key should live before being - automatically rotated. A value of 0 disables automatic rotation - for the key. Amount of seconds the key should live before being - automatically rotated. A value of 0 disables automatic rotation - for the key. + description: |- + Amount of seconds the key should live before being automatically rotated. + A value of 0 disables automatic rotation for the key. + Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. type: number backend: - description: The path the transit secret backend is mounted at, - with no leading or trailing /s. The Transit secret backend the - resource belongs to. + description: |- + The path the transit secret backend is mounted at, with no leading or trailing /s. + The Transit secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object convergentEncryption: - description: Whether or not to support convergent encryption, - where the same plaintext creates the same ciphertext. This requires - derived to be set to true. Whether or not to support convergent - encryption, where the same plaintext creates the same ciphertext. - This requires derived to be set to true. + description: |- + Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. + Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. type: boolean deletionAllowed: - description: Specifies if the keyring is allowed to be deleted. + description: |- + Specifies if the keyring is allowed to be deleted. Specifies if the key is allowed to be deleted. type: boolean derived: - description: Specifies if key derivation is to be used. If enabled, - all encrypt/decrypt requests to this key must provide a context - which is used for key derivation. Specifies if key derivation - is to be used. If enabled, all encrypt/decrypt requests to this - key must provide a context which is used for key derivation. + description: |- + Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. + Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. type: boolean exportable: - description: Enables keys to be exportable. This allows for all - valid private keys in the keyring to be exported. Once set, - this cannot be disabled. Enables keys to be exportable. This - allows for all the valid keys in the key ring to be exported. - Once set, this cannot be disabled. + description: |- + Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled. + Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled. type: boolean keySize: - description: The key size in bytes for algorithms that allow variable - key sizes. Currently only applicable to HMAC, where it must - be between 32 and 512 bytes. The key size in bytes for algorithms - that allow variable key sizes. Currently only applicable to - HMAC; this value must be between 32 and 512. + description: |- + The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes. + The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512. type: number minDecryptionVersion: - description: Minimum key version to use for decryption. Minimum - key version to use for decryption. + description: |- + Minimum key version to use for decryption. + Minimum key version to use for decryption. type: number minEncryptionVersion: - description: Minimum key version to use for encryption Minimum - key version to use for encryption + description: |- + Minimum key version to use for encryption + Minimum key version to use for encryption type: number name: - description: The name to identify this key within the backend. - Must be unique within the backend. Name of the encryption key - to create. + description: |- + The name to identify this key within the backend. Must be unique within the backend. + Name of the encryption key to create. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: - description: 'Specifies the type of key to create. The currently-supported - types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, - ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, - rsa-3072 and rsa-4096. Specifies the type of key to create. - The currently-supported types are: aes128-gcm96, aes256-gcm96, - chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, - hmac, rsa-2048, rsa-3072, rsa-4096' + description: |- + Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096. + Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096 type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowPlaintextBackup: - description: Enables taking backup of entire keyring in the plaintext - format. Once set, this cannot be disabled. If set, enables taking - backup of named key in the plaintext format. Once set, this - cannot be disabled. + description: |- + Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. + If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled. type: boolean - autoRotateInterval: - description: Replaced by auto_rotate_period. Amount of time the - key should live before being automatically rotated. A value - of 0 disables automatic rotation for the key. - type: number autoRotatePeriod: - description: Amount of seconds the key should live before being - automatically rotated. A value of 0 disables automatic rotation - for the key. Amount of seconds the key should live before being - automatically rotated. A value of 0 disables automatic rotation - for the key. + description: |- + Amount of seconds the key should live before being automatically rotated. + A value of 0 disables automatic rotation for the key. + Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. type: number backend: - description: The path the transit secret backend is mounted at, - with no leading or trailing /s. The Transit secret backend the - resource belongs to. + description: |- + The path the transit secret backend is mounted at, with no leading or trailing /s. + The Transit secret backend the resource belongs to. type: string + backendRef: + description: Reference to a Mount in vault to populate backend. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + backendSelector: + description: Selector for a Mount in vault to populate backend. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object convergentEncryption: - description: Whether or not to support convergent encryption, - where the same plaintext creates the same ciphertext. This requires - derived to be set to true. Whether or not to support convergent - encryption, where the same plaintext creates the same ciphertext. - This requires derived to be set to true. + description: |- + Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. + Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. type: boolean deletionAllowed: - description: Specifies if the keyring is allowed to be deleted. + description: |- + Specifies if the keyring is allowed to be deleted. Specifies if the key is allowed to be deleted. type: boolean derived: - description: Specifies if key derivation is to be used. If enabled, - all encrypt/decrypt requests to this key must provide a context - which is used for key derivation. Specifies if key derivation - is to be used. If enabled, all encrypt/decrypt requests to this - key must provide a context which is used for key derivation. + description: |- + Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. + Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. type: boolean exportable: - description: Enables keys to be exportable. This allows for all - valid private keys in the keyring to be exported. Once set, - this cannot be disabled. Enables keys to be exportable. This - allows for all the valid keys in the key ring to be exported. - Once set, this cannot be disabled. + description: |- + Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled. + Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled. type: boolean keySize: - description: The key size in bytes for algorithms that allow variable - key sizes. Currently only applicable to HMAC, where it must - be between 32 and 512 bytes. The key size in bytes for algorithms - that allow variable key sizes. Currently only applicable to - HMAC; this value must be between 32 and 512. + description: |- + The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes. + The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512. type: number minDecryptionVersion: - description: Minimum key version to use for decryption. Minimum - key version to use for decryption. + description: |- + Minimum key version to use for decryption. + Minimum key version to use for decryption. type: number minEncryptionVersion: - description: Minimum key version to use for encryption Minimum - key version to use for encryption + description: |- + Minimum key version to use for encryption + Minimum key version to use for encryption type: number name: - description: The name to identify this key within the backend. - Must be unique within the backend. Name of the encryption key - to create. + description: |- + The name to identify this key within the backend. Must be unique within the backend. + Name of the encryption key to create. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string type: - description: 'Specifies the type of key to create. The currently-supported - types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, - ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, - rsa-3072 and rsa-4096. Specifies the type of key to create. - The currently-supported types are: aes128-gcm96, aes256-gcm96, - chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, - hmac, rsa-2048, rsa-3072, rsa-4096' + description: |- + Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096. + Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096 type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -279,45 +404,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -327,21 +417,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -351,17 +441,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -371,21 +463,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -400,21 +492,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -425,14 +518,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -448,146 +542,124 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: backend is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) - || has(self.initProvider.backend)' - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' + || (has(self.initProvider) && has(self.initProvider.name))' status: description: SecretBackendKeyStatus defines the observed state of SecretBackendKey. properties: atProvider: properties: allowPlaintextBackup: - description: Enables taking backup of entire keyring in the plaintext - format. Once set, this cannot be disabled. If set, enables taking - backup of named key in the plaintext format. Once set, this - cannot be disabled. + description: |- + Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. + If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled. type: boolean - autoRotateInterval: - description: Replaced by auto_rotate_period. Amount of time the - key should live before being automatically rotated. A value - of 0 disables automatic rotation for the key. - type: number autoRotatePeriod: - description: Amount of seconds the key should live before being - automatically rotated. A value of 0 disables automatic rotation - for the key. Amount of seconds the key should live before being - automatically rotated. A value of 0 disables automatic rotation - for the key. + description: |- + Amount of seconds the key should live before being automatically rotated. + A value of 0 disables automatic rotation for the key. + Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. type: number backend: - description: The path the transit secret backend is mounted at, - with no leading or trailing /s. The Transit secret backend the - resource belongs to. + description: |- + The path the transit secret backend is mounted at, with no leading or trailing /s. + The Transit secret backend the resource belongs to. type: string convergentEncryption: - description: Whether or not to support convergent encryption, - where the same plaintext creates the same ciphertext. This requires - derived to be set to true. Whether or not to support convergent - encryption, where the same plaintext creates the same ciphertext. - This requires derived to be set to true. + description: |- + Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. + Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. type: boolean deletionAllowed: - description: Specifies if the keyring is allowed to be deleted. + description: |- + Specifies if the keyring is allowed to be deleted. Specifies if the key is allowed to be deleted. type: boolean derived: - description: Specifies if key derivation is to be used. If enabled, - all encrypt/decrypt requests to this key must provide a context - which is used for key derivation. Specifies if key derivation - is to be used. If enabled, all encrypt/decrypt requests to this - key must provide a context which is used for key derivation. + description: |- + Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. + Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. type: boolean exportable: - description: Enables keys to be exportable. This allows for all - valid private keys in the keyring to be exported. Once set, - this cannot be disabled. Enables keys to be exportable. This - allows for all the valid keys in the key ring to be exported. - Once set, this cannot be disabled. + description: |- + Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled. + Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled. type: boolean id: type: string keySize: - description: The key size in bytes for algorithms that allow variable - key sizes. Currently only applicable to HMAC, where it must - be between 32 and 512 bytes. The key size in bytes for algorithms - that allow variable key sizes. Currently only applicable to - HMAC; this value must be between 32 and 512. + description: |- + The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes. + The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512. type: number keys: - description: List of key versions in the keyring. This attribute - is zero-indexed and will contain a map of values depending on - the type of the encryption key. List of key versions in the - keyring. + description: |- + List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. + List of key versions in the keyring. items: additionalProperties: type: string type: object type: array latestVersion: - description: Latest key version available. This value is 1-indexed, - so if latest_version is 1, then the key's information can be - referenced from keys by selecting element 0 Latest key version - in use in the keyring + description: |- + Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0 + Latest key version in use in the keyring type: number minAvailableVersion: - description: Minimum key version available for use. If keys have - been archived by increasing min_decryption_version, this attribute - will reflect that change. Minimum key version available for - use. + description: |- + Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change. + Minimum key version available for use. type: number minDecryptionVersion: - description: Minimum key version to use for decryption. Minimum - key version to use for decryption. + description: |- + Minimum key version to use for decryption. + Minimum key version to use for decryption. type: number minEncryptionVersion: - description: Minimum key version to use for encryption Minimum - key version to use for encryption + description: |- + Minimum key version to use for encryption + Minimum key version to use for encryption type: number name: - description: The name to identify this key within the backend. - Must be unique within the backend. Name of the encryption key - to create. + description: |- + The name to identify this key within the backend. Must be unique within the backend. + Name of the encryption key to create. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string supportsDecryption: - description: Whether or not the key supports decryption, based - on key type. Whether or not the key supports decryption, based - on key type. + description: |- + Whether or not the key supports decryption, based on key type. + Whether or not the key supports decryption, based on key type. type: boolean supportsDerivation: - description: Whether or not the key supports derivation, based - on key type. Whether or not the key supports derivation, based - on key type. + description: |- + Whether or not the key supports derivation, based on key type. + Whether or not the key supports derivation, based on key type. type: boolean supportsEncryption: - description: Whether or not the key supports encryption, based - on key type. Whether or not the key supports encryption, based - on key type. + description: |- + Whether or not the key supports encryption, based on key type. + Whether or not the key supports encryption, based on key type. type: boolean supportsSigning: - description: Whether or not the key supports signing, based on - key type. Whether or not the key supports signing, based on - key type. + description: |- + Whether or not the key supports signing, based on key type. + Whether or not the key supports signing, based on key type. type: boolean type: - description: 'Specifies the type of key to create. The currently-supported - types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, - ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, - rsa-3072 and rsa-4096. Specifies the type of key to create. - The currently-supported types are: aes128-gcm96, aes256-gcm96, - chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, - hmac, rsa-2048, rsa-3072, rsa-4096' + description: |- + Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096. + Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096 type: string type: object conditions: @@ -596,14 +668,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -613,8 +694,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -623,6 +705,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/vault.upbound.io_providerconfigs.yaml b/package/crds/vault.upbound.io_providerconfigs.yaml index 8f08b063..151ff6df 100644 --- a/package/crds/vault.upbound.io_providerconfigs.yaml +++ b/package/crds/vault.upbound.io_providerconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: providerconfigs.vault.upbound.io spec: group: vault.upbound.io @@ -32,14 +32,19 @@ spec: description: A ProviderConfig configures a Vault provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,32 +52,41 @@ spec: description: A ProviderConfigSpec defines the desired state of a ProviderConfig. properties: add_address_to_env: - description: If true the environment variable VAULT_ADDR in the Terraform - process environment will be set to the value of the address argument + description: |- + If true the environment variable + VAULT_ADDR in the Terraform process environment + will be set to the value of the address argument from this provider. By default, this is false. type: boolean address: - description: Required origin URL of the Vault server. This is a URL - with a scheme, a hostname and a port but with no path. + description: |- + Required origin URL of the Vault server. + This is a URL with a scheme, a hostname + and a port but with no path. type: string credentials: - description: Credentials required to authenticate to this provider. - There are many options to authenticate. They include - token - (Optional) - Vault token that will be used by Terraform to authenticate. May - be set via the VAULT_TOKEN environment variable. If none is otherwise - supplied, Terraform will attempt to read it from ~/.vault-token - (where the vault command stores its current token). Terraform will - issue itself a new token that is a child of the one given, with - a short TTL to limit the exposure of any requested secrets, unless - skip_child_token is set to true (see below). Note that the given - token must have the update capability on the auth/token/create path - in Vault in order to create child tokens. A token is required for - the provider. A token can explicitly set via token argument, alternatively + description: |- + Credentials required to authenticate to this provider. + There are many options to authenticate. They include + - token - (Optional) Vault token that will be used + by Terraform to authenticate. May be set via the + VAULT_TOKEN environment variable. If none is otherwise + supplied, Terraform will attempt to read it from + ~/.vault-token (where the vault command stores its + current token). Terraform will issue itself a new token + that is a child of the one given, with a short TTL to + limit the exposure of any requested secrets, unless + skip_child_token is set to true (see below). Note + that the given token must have the update capability + on the auth/token/create path in Vault in order to create + child tokens. A token is required for the provider. A + token can explicitly set via token argument, alternatively a token can be dynamically set via an auth_login* block. properties: env: - description: Env is a reference to an environment variable that - contains credentials that must be used to connect to the provider. + description: |- + Env is a reference to an environment variable that contains credentials + that must be used to connect to the provider. properties: name: description: Name is the name of an environment variable. @@ -81,8 +95,9 @@ spec: - name type: object fs: - description: Fs is a reference to a filesystem location that contains - credentials that must be used to connect to the provider. + description: |- + Fs is a reference to a filesystem location that contains credentials that + must be used to connect to the provider. properties: path: description: Path is a filesystem path. @@ -91,8 +106,9 @@ spec: - path type: object secretRef: - description: A SecretRef is a reference to a secret key that contains - the credentials that must be used to connect to the provider. + description: |- + A SecretRef is a reference to a secret key that contains the credentials + that must be used to connect to the provider. properties: key: description: The key to select. @@ -121,9 +137,11 @@ spec: - source type: object headers: - description: A configuration block, described below, that provides - headers to be sent along with all requests to the Vault server. - This block can be specified multiple times. + description: |- + A configuration block, described below, + that provides headers to be sent along with all + requests to the Vault server. This block can be + specified multiple times. properties: name: description: Required header name @@ -136,47 +154,61 @@ spec: - value type: object max_lease_ttl_seconds: - description: Used as the duration for the intermediate Vault token - Terraform issues itself, which in turn limits the duration of secret - leases issued by Vault. Defaults to 20 minutes. + description: |- + Used as the duration for the intermediate Vault + token Terraform issues itself, which in turn limits the + duration of secret leases issued by Vault. Defaults to + 20 minutes. type: integer max_retries: - description: Used as the maximum number of retries when a 5xx error - code is encountered. Defaults to 2 retries. + description: |- + Used as the maximum number of retries when a + 5xx error code is encountered. Defaults to 2 retries. type: integer max_retries_ccc: - description: Maximum number of retries for Client Controlled Consistency - related operations. Defaults to 10 retries. + description: |- + Maximum number of retries for Client Controlled + Consistency related operations. Defaults to 10 retries. type: integer namespace: description: Set the namespace to use. type: string skip_child_token: - description: Set this to true to disable creation of an intermediate - ephemeral Vault token for Terraform to use. Enabling this is strongly - discouraged since it increases the potential for a renewable Vault - token being exposed in clear text. Only change this setting when - the provided token cannot be permitted to create child tokens and - there is no risk of exposure from the output of Terraform. + description: |- + Set this to true to disable creation of an + intermediate ephemeral Vault token for Terraform to use. + Enabling this is strongly discouraged since it increases + the potential for a renewable Vault token being exposed + in clear text. Only change this setting when the provided + token cannot be permitted to create child tokens and there + is no risk of exposure from the output of Terraform. type: boolean skip_get_vault_version: - description: Skip the dynamic fetching of the Vault server version. - Set to true when the /sys/seal-status API endpoint is not available. + description: |- + Skip the dynamic fetching of the Vault server + version. Set to true when the /sys/seal-status API + endpoint is not available. type: boolean skip_tls_verify: - description: Set this to true to disable verification of the Vault - server's TLS certificate. This is strongly discouraged except in - prototype or development environments, since it exposes the possibility - that Terraform can be tricked into writing secrets to a server controlled - by an intruder. + description: |- + Set this to true to disable verification + of the Vault server's TLS certificate. This is + strongly discouraged except in prototype or + development environments, since it exposes the + possibility that Terraform can be tricked into + writing secrets to a server controlled by an intruder. type: boolean tls_server_name: - description: Name to use as the SNI host when connecting via TLS. + description: |- + Name to use as the SNI host when connecting + via TLS. type: string vault_version_override: - description: Override the target Vault server semantic version. Normally - the version is dynamically set from the /sys/seal-status API endpoint. - In the case where this endpoint is not available an override can + description: |- + Override the target Vault server semantic + version. Normally the version is dynamically set + from the /sys/seal-status API endpoint. In the case + where this endpoint is not available an override can be specified here. type: string required: @@ -191,14 +223,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -208,8 +249,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -218,6 +260,9 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map users: description: Users of this provider configuration. format: int64 diff --git a/package/crds/vault.upbound.io_providerconfigusages.yaml b/package/crds/vault.upbound.io_providerconfigusages.yaml index dd8d70e3..50270414 100644 --- a/package/crds/vault.upbound.io_providerconfigusages.yaml +++ b/package/crds/vault.upbound.io_providerconfigusages.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: providerconfigusages.vault.upbound.io spec: group: vault.upbound.io @@ -37,14 +37,19 @@ spec: description: A ProviderConfigUsage indicates that a resource is using a ProviderConfig. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -59,19 +64,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this reference - is required. The default is 'Required', which means the reconcile - will fail if the reference cannot be resolved. 'Optional' means - this reference will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should be resolved. - The default is 'IfNotPresent', which will attempt to resolve - the reference only when the corresponding field is not present. - Use 'Always' to resolve the reference on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent diff --git a/package/crds/vault.upbound.io_storeconfigs.yaml b/package/crds/vault.upbound.io_storeconfigs.yaml index 171ccbd5..883454eb 100644 --- a/package/crds/vault.upbound.io_storeconfigs.yaml +++ b/package/crds/vault.upbound.io_storeconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: storeconfigs.vault.upbound.io spec: group: vault.upbound.io @@ -35,14 +35,19 @@ spec: details. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,24 +55,26 @@ spec: description: A StoreConfigSpec defines the desired state of a ProviderConfig. properties: defaultScope: - description: DefaultScope used for scoping secrets for "cluster-scoped" - resources. If store type is "Kubernetes", this would mean the default - namespace to store connection secrets for cluster scoped resources. + description: |- + DefaultScope used for scoping secrets for "cluster-scoped" resources. + If store type is "Kubernetes", this would mean the default namespace to + store connection secrets for cluster scoped resources. In case of "Vault", this would be used as the default parent path. Typically, should be set as Crossplane installation namespace. type: string kubernetes: - description: Kubernetes configures a Kubernetes secret store. If the - "type" is "Kubernetes" but no config provided, in cluster config + description: |- + Kubernetes configures a Kubernetes secret store. + If the "type" is "Kubernetes" but no config provided, in cluster config will be used. properties: auth: description: Credentials used to connect to the Kubernetes API. properties: env: - description: Env is a reference to an environment variable - that contains credentials that must be used to connect to - the provider. + description: |- + Env is a reference to an environment variable that contains credentials + that must be used to connect to the provider. properties: name: description: Name is the name of an environment variable. @@ -76,9 +83,9 @@ spec: - name type: object fs: - description: Fs is a reference to a filesystem location that - contains credentials that must be used to connect to the - provider. + description: |- + Fs is a reference to a filesystem location that contains credentials that + must be used to connect to the provider. properties: path: description: Path is a filesystem path. @@ -87,9 +94,9 @@ spec: - path type: object secretRef: - description: A SecretRef is a reference to a secret key that - contains the credentials that must be used to connect to - the provider. + description: |- + A SecretRef is a reference to a secret key that contains the credentials + that must be used to connect to the provider. properties: key: description: The key to select. @@ -145,154 +152,15 @@ spec: type: object type: default: Kubernetes - description: Type configures which secret store to be used. Only the - configuration block for this store will be used and others will - be ignored if provided. Default is Kubernetes. + description: |- + Type configures which secret store to be used. Only the configuration + block for this store will be used and others will be ignored if provided. + Default is Kubernetes. enum: - Kubernetes - Vault - Plugin type: string - vault: - description: 'Vault configures a Vault secret store. Deprecated: This - API is scheduled to be removed in a future release. Vault should - be used as a plugin going forward. See https://github.com/crossplane-contrib/ess-plugin-vault - for more information.' - properties: - auth: - description: Auth configures an authentication method for Vault. - properties: - method: - description: Method configures which auth method will be used. - type: string - token: - description: Token configures Token Auth for Vault. - properties: - env: - description: Env is a reference to an environment variable - that contains credentials that must be used to connect - to the provider. - properties: - name: - description: Name is the name of an environment variable. - type: string - required: - - name - type: object - fs: - description: Fs is a reference to a filesystem location - that contains credentials that must be used to connect - to the provider. - properties: - path: - description: Path is a filesystem path. - type: string - required: - - path - type: object - secretRef: - description: A SecretRef is a reference to a secret key - that contains the credentials that must be used to connect - to the provider. - properties: - key: - description: The key to select. - type: string - name: - description: Name of the secret. - type: string - namespace: - description: Namespace of the secret. - type: string - required: - - key - - name - - namespace - type: object - source: - description: Source of the credentials. - enum: - - None - - Secret - - Environment - - Filesystem - type: string - required: - - source - type: object - required: - - method - type: object - caBundle: - description: CABundle configures CA bundle for Vault Server. - properties: - env: - description: Env is a reference to an environment variable - that contains credentials that must be used to connect to - the provider. - properties: - name: - description: Name is the name of an environment variable. - type: string - required: - - name - type: object - fs: - description: Fs is a reference to a filesystem location that - contains credentials that must be used to connect to the - provider. - properties: - path: - description: Path is a filesystem path. - type: string - required: - - path - type: object - secretRef: - description: A SecretRef is a reference to a secret key that - contains the credentials that must be used to connect to - the provider. - properties: - key: - description: The key to select. - type: string - name: - description: Name of the secret. - type: string - namespace: - description: Namespace of the secret. - type: string - required: - - key - - name - - namespace - type: object - source: - description: Source of the credentials. - enum: - - None - - Secret - - Environment - - Filesystem - type: string - required: - - source - type: object - mountPath: - description: MountPath is the mount path of the KV secrets engine. - type: string - server: - description: Server is the url of the Vault server, e.g. "https://vault.acme.org" - type: string - version: - default: v2 - description: Version of the KV Secrets engine of Vault. https://www.vaultproject.io/docs/secrets/kv - type: string - required: - - auth - - mountPath - - server - type: object required: - defaultScope type: object @@ -305,14 +173,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -322,8 +199,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -332,6 +210,9 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map type: object required: - spec diff --git a/package/crds/vault.vault.upbound.io_audits.yaml b/package/crds/vault.vault.upbound.io_audits.yaml index e42dd6cc..3dac8518 100644 --- a/package/crds/vault.vault.upbound.io_audits.yaml +++ b/package/crds/vault.vault.upbound.io_audits.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: audits.vault.vault.upbound.io spec: group: vault.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: for Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,101 +74,110 @@ spec: forProvider: properties: description: - description: Human-friendly description of the audit device. Human-friendly - description of the audit device. + description: |- + Human-friendly description of the audit device. + Human-friendly description of the audit device. type: string local: - description: Specifies if the audit device is a local only. Local - audit devices are not replicated nor (if a secondary) removed - by replication. Specifies if the audit device is a local only. - Local audit devices are not replicated nor (if a secondary) - removed by replication. + description: |- + Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. + Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: type: string - description: Configuration options to pass to the audit device - itself. Configuration options to pass to the audit device itself. + description: |- + Configuration options to pass to the audit device itself. + Configuration options to pass to the audit device itself. type: object + x-kubernetes-map-type: granular path: - description: The path to mount the audit device. This defaults - to the type. Path in which to enable the audit device. + description: |- + The path to mount the audit device. This defaults to the type. + Path in which to enable the audit device. type: string type: - description: Type of the audit device, such as 'file'. Type of - the audit device, such as 'file'. + description: |- + Type of the audit device, such as 'file'. + Type of the audit device, such as 'file'. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: description: - description: Human-friendly description of the audit device. Human-friendly - description of the audit device. + description: |- + Human-friendly description of the audit device. + Human-friendly description of the audit device. type: string local: - description: Specifies if the audit device is a local only. Local - audit devices are not replicated nor (if a secondary) removed - by replication. Specifies if the audit device is a local only. - Local audit devices are not replicated nor (if a secondary) - removed by replication. + description: |- + Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. + Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: type: string - description: Configuration options to pass to the audit device - itself. Configuration options to pass to the audit device itself. + description: |- + Configuration options to pass to the audit device itself. + Configuration options to pass to the audit device itself. type: object + x-kubernetes-map-type: granular path: - description: The path to mount the audit device. This defaults - to the type. Path in which to enable the audit device. + description: |- + The path to mount the audit device. This defaults to the type. + Path in which to enable the audit device. type: string type: - description: Type of the audit device, such as 'file'. Type of - the audit device, such as 'file'. + description: |- + Type of the audit device, such as 'file'. + Type of the audit device, such as 'file'. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -175,45 +190,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -223,21 +203,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -247,17 +227,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -267,21 +249,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -296,21 +278,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -321,14 +304,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -344,52 +328,56 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: options is a required parameter + - message: spec.forProvider.options is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.options) - || has(self.initProvider.options)' - - message: type is a required parameter + || (has(self.initProvider) && has(self.initProvider.options))' + - message: spec.forProvider.type is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.type) - || has(self.initProvider.type)' + || (has(self.initProvider) && has(self.initProvider.type))' status: description: AuditStatus defines the observed state of Audit. properties: atProvider: properties: description: - description: Human-friendly description of the audit device. Human-friendly - description of the audit device. + description: |- + Human-friendly description of the audit device. + Human-friendly description of the audit device. type: string id: type: string local: - description: Specifies if the audit device is a local only. Local - audit devices are not replicated nor (if a secondary) removed - by replication. Specifies if the audit device is a local only. - Local audit devices are not replicated nor (if a secondary) - removed by replication. + description: |- + Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. + Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. type: boolean namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: type: string - description: Configuration options to pass to the audit device - itself. Configuration options to pass to the audit device itself. + description: |- + Configuration options to pass to the audit device itself. + Configuration options to pass to the audit device itself. type: object + x-kubernetes-map-type: granular path: - description: The path to mount the audit device. This defaults - to the type. Path in which to enable the audit device. + description: |- + The path to mount the audit device. This defaults to the type. + Path in which to enable the audit device. type: string type: - description: Type of the audit device, such as 'file'. Type of - the audit device, such as 'file'. + description: |- + Type of the audit device, such as 'file'. + Type of the audit device, such as 'file'. type: string type: object conditions: @@ -398,14 +386,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -415,8 +412,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -425,6 +423,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/vault.vault.upbound.io_mounts.yaml b/package/crds/vault.vault.upbound.io_mounts.yaml index d5b79208..45389a7b 100644 --- a/package/crds/vault.vault.upbound.io_mounts.yaml +++ b/package/crds/vault.vault.upbound.io_mounts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: mounts.vault.vault.upbound.io spec: group: vault.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: of secret backends in Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,189 +74,280 @@ spec: forProvider: properties: allowedManagedKeys: - description: Set of managed key registry entry names that the - mount in question is allowed to access List of managed key registry - entry names that the mount in question is allowed to access + description: |- + Set of managed key registry entry names that the mount in question is allowed to access + List of managed key registry entry names that the mount in question is allowed to access + items: + type: string + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + List of headers to allow, allowing a plugin to include + them in the response. + List of headers to allow and pass from the request to the plugin items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the request data object. Specifies the list - of keys that will not be HMAC'd by audit devices in the request - data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the response data object. Specifies the - list of keys that will not be HMAC'd by audit devices in the - response data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. items: type: string type: array defaultLeaseTtlSeconds: - description: Default lease duration for tokens and secrets in - seconds Default lease duration for tokens and secrets in seconds + description: |- + Default lease duration for tokens and secrets in seconds + Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: |- + List of allowed authentication mount accessors the + backend can request delegated authentication for. + List of headers to allow and pass from the request to the plugin + items: + type: string + type: array description: - description: Human-friendly description of the mount Human-friendly - description of the mount + description: |- + Human-friendly description of the mount + Human-friendly description of the mount type: string externalEntropyAccess: - description: Boolean flag that can be explicitly set to true to - enable the secrets engine to access Vault's external entropy - source Enable the secrets engine to access Vault's external - entropy source + description: |- + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source + Enable the secrets engine to access Vault's external entropy source type: boolean + identityTokenKey: + description: |- + The key to use for signing plugin workload identity tokens. If + not provided, this will default to Vault's OIDC default key. + The key to use for signing plugin workload identity tokens + type: string + listingVisibility: + description: |- + Specifies whether to show this mount in the UI-specific + listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. + Specifies whether to show this mount in the UI-specific listing endpoint + type: string local: - description: Boolean flag that can be explicitly set to true to - enforce local mount in HA environment Local mount flag that - can be explicitly set to true to enforce local mount in HA environment + description: |- + Boolean flag that can be explicitly set to true to enforce local mount in HA environment + Local mount flag that can be explicitly set to true to enforce local mount in HA environment type: boolean maxLeaseTtlSeconds: - description: Maximum possible lease duration for tokens and secrets - in seconds Maximum possible lease duration for tokens and secrets - in seconds + description: |- + Maximum possible lease duration for tokens and secrets in seconds + Maximum possible lease duration for tokens and secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: type: string - description: Specifies mount type specific options that are passed - to the backend Specifies mount type specific options that are - passed to the backend + description: |- + Specifies mount type specific options that are passed to the backend + Specifies mount type specific options that are passed to the backend type: object + x-kubernetes-map-type: granular + passthroughRequestHeaders: + description: |- + List of headers to allow and pass from the request to + the plugin. + List of headers to allow and pass from the request to the plugin + items: + type: string + type: array path: - description: Where the secret backend will be mounted Where the - secret backend will be mounted + description: |- + Where the secret backend will be mounted + Where the secret backend will be mounted + type: string + pluginVersion: + description: |- + Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + If unspecified, the server will select any matching unversioned plugin that may have been + registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. + Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' type: string sealWrap: - description: Boolean flag that can be explicitly set to true to - enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability - Enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability + description: |- + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability type: boolean type: - description: Type of the backend, such as "aws" Type of the backend, - such as 'aws' + description: |- + Type of the backend, such as "aws" + Type of the backend, such as 'aws' type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: allowedManagedKeys: - description: Set of managed key registry entry names that the - mount in question is allowed to access List of managed key registry - entry names that the mount in question is allowed to access + description: |- + Set of managed key registry entry names that the mount in question is allowed to access + List of managed key registry entry names that the mount in question is allowed to access + items: + type: string + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + List of headers to allow, allowing a plugin to include + them in the response. + List of headers to allow and pass from the request to the plugin items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the request data object. Specifies the list - of keys that will not be HMAC'd by audit devices in the request - data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the response data object. Specifies the - list of keys that will not be HMAC'd by audit devices in the - response data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. items: type: string type: array defaultLeaseTtlSeconds: - description: Default lease duration for tokens and secrets in - seconds Default lease duration for tokens and secrets in seconds + description: |- + Default lease duration for tokens and secrets in seconds + Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: |- + List of allowed authentication mount accessors the + backend can request delegated authentication for. + List of headers to allow and pass from the request to the plugin + items: + type: string + type: array description: - description: Human-friendly description of the mount Human-friendly - description of the mount + description: |- + Human-friendly description of the mount + Human-friendly description of the mount type: string externalEntropyAccess: - description: Boolean flag that can be explicitly set to true to - enable the secrets engine to access Vault's external entropy - source Enable the secrets engine to access Vault's external - entropy source + description: |- + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source + Enable the secrets engine to access Vault's external entropy source type: boolean + identityTokenKey: + description: |- + The key to use for signing plugin workload identity tokens. If + not provided, this will default to Vault's OIDC default key. + The key to use for signing plugin workload identity tokens + type: string + listingVisibility: + description: |- + Specifies whether to show this mount in the UI-specific + listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. + Specifies whether to show this mount in the UI-specific listing endpoint + type: string local: - description: Boolean flag that can be explicitly set to true to - enforce local mount in HA environment Local mount flag that - can be explicitly set to true to enforce local mount in HA environment + description: |- + Boolean flag that can be explicitly set to true to enforce local mount in HA environment + Local mount flag that can be explicitly set to true to enforce local mount in HA environment type: boolean maxLeaseTtlSeconds: - description: Maximum possible lease duration for tokens and secrets - in seconds Maximum possible lease duration for tokens and secrets - in seconds + description: |- + Maximum possible lease duration for tokens and secrets in seconds + Maximum possible lease duration for tokens and secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: type: string - description: Specifies mount type specific options that are passed - to the backend Specifies mount type specific options that are - passed to the backend + description: |- + Specifies mount type specific options that are passed to the backend + Specifies mount type specific options that are passed to the backend type: object + x-kubernetes-map-type: granular + passthroughRequestHeaders: + description: |- + List of headers to allow and pass from the request to + the plugin. + List of headers to allow and pass from the request to the plugin + items: + type: string + type: array path: - description: Where the secret backend will be mounted Where the - secret backend will be mounted + description: |- + Where the secret backend will be mounted + Where the secret backend will be mounted + type: string + pluginVersion: + description: |- + Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + If unspecified, the server will select any matching unversioned plugin that may have been + registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. + Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' type: string sealWrap: - description: Boolean flag that can be explicitly set to true to - enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability - Enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability + description: |- + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability type: boolean type: - description: Type of the backend, such as "aws" Type of the backend, - such as 'aws' + description: |- + Type of the backend, such as "aws" + Type of the backend, such as 'aws' type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -263,45 +360,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -311,21 +373,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -335,17 +397,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -355,21 +419,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -384,21 +448,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -409,14 +474,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -432,99 +498,146 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: path is a required parameter + - message: spec.forProvider.path is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' - - message: type is a required parameter + || (has(self.initProvider) && has(self.initProvider.path))' + - message: spec.forProvider.type is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.type) - || has(self.initProvider.type)' + || (has(self.initProvider) && has(self.initProvider.type))' status: description: MountStatus defines the observed state of Mount. properties: atProvider: properties: accessor: - description: The accessor for this mount. Accessor of the mount + description: |- + The accessor for this mount. + Accessor of the mount type: string allowedManagedKeys: - description: Set of managed key registry entry names that the - mount in question is allowed to access List of managed key registry - entry names that the mount in question is allowed to access + description: |- + Set of managed key registry entry names that the mount in question is allowed to access + List of managed key registry entry names that the mount in question is allowed to access + items: + type: string + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + List of headers to allow, allowing a plugin to include + them in the response. + List of headers to allow and pass from the request to the plugin items: type: string type: array auditNonHmacRequestKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the request data object. Specifies the list - of keys that will not be HMAC'd by audit devices in the request - data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. items: type: string type: array auditNonHmacResponseKeys: - description: Specifies the list of keys that will not be HMAC'd - by audit devices in the response data object. Specifies the - list of keys that will not be HMAC'd by audit devices in the - response data object. + description: |- + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. items: type: string type: array defaultLeaseTtlSeconds: - description: Default lease duration for tokens and secrets in - seconds Default lease duration for tokens and secrets in seconds + description: |- + Default lease duration for tokens and secrets in seconds + Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: |- + List of allowed authentication mount accessors the + backend can request delegated authentication for. + List of headers to allow and pass from the request to the plugin + items: + type: string + type: array description: - description: Human-friendly description of the mount Human-friendly - description of the mount + description: |- + Human-friendly description of the mount + Human-friendly description of the mount type: string externalEntropyAccess: - description: Boolean flag that can be explicitly set to true to - enable the secrets engine to access Vault's external entropy - source Enable the secrets engine to access Vault's external - entropy source + description: |- + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source + Enable the secrets engine to access Vault's external entropy source type: boolean id: type: string + identityTokenKey: + description: |- + The key to use for signing plugin workload identity tokens. If + not provided, this will default to Vault's OIDC default key. + The key to use for signing plugin workload identity tokens + type: string + listingVisibility: + description: |- + Specifies whether to show this mount in the UI-specific + listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. + Specifies whether to show this mount in the UI-specific listing endpoint + type: string local: - description: Boolean flag that can be explicitly set to true to - enforce local mount in HA environment Local mount flag that - can be explicitly set to true to enforce local mount in HA environment + description: |- + Boolean flag that can be explicitly set to true to enforce local mount in HA environment + Local mount flag that can be explicitly set to true to enforce local mount in HA environment type: boolean maxLeaseTtlSeconds: - description: Maximum possible lease duration for tokens and secrets - in seconds Maximum possible lease duration for tokens and secrets - in seconds + description: |- + Maximum possible lease duration for tokens and secrets in seconds + Maximum possible lease duration for tokens and secrets in seconds type: number namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string options: additionalProperties: type: string - description: Specifies mount type specific options that are passed - to the backend Specifies mount type specific options that are - passed to the backend + description: |- + Specifies mount type specific options that are passed to the backend + Specifies mount type specific options that are passed to the backend type: object + x-kubernetes-map-type: granular + passthroughRequestHeaders: + description: |- + List of headers to allow and pass from the request to + the plugin. + List of headers to allow and pass from the request to the plugin + items: + type: string + type: array path: - description: Where the secret backend will be mounted Where the - secret backend will be mounted + description: |- + Where the secret backend will be mounted + Where the secret backend will be mounted + type: string + pluginVersion: + description: |- + Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + If unspecified, the server will select any matching unversioned plugin that may have been + registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. + Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' type: string sealWrap: - description: Boolean flag that can be explicitly set to true to - enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability - Enable seal wrapping for the mount, causing values stored by - the mount to be wrapped by the seal's encryption capability + description: |- + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability type: boolean type: - description: Type of the backend, such as "aws" Type of the backend, - such as 'aws' + description: |- + Type of the backend, such as "aws" + Type of the backend, such as 'aws' type: string type: object conditions: @@ -533,14 +646,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -550,8 +672,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -560,6 +683,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/vault.vault.upbound.io_policies.yaml b/package/crds/vault.vault.upbound.io_policies.yaml index 571c71d6..350eda80 100644 --- a/package/crds/vault.vault.upbound.io_policies.yaml +++ b/package/crds/vault.vault.upbound.io_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.vault.vault.upbound.io spec: group: vault.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: for Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -68,63 +74,74 @@ spec: forProvider: properties: name: - description: The name of the policy Name of the policy + description: |- + The name of the policy + Name of the policy type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policy: - description: String containing a Vault policy The policy document + description: |- + String containing a Vault policy + The policy document type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: name: - description: The name of the policy Name of the policy + description: |- + The name of the policy + Name of the policy type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policy: - description: String containing a Vault policy The policy document + description: |- + String containing a Vault policy + The policy document type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -137,45 +154,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -185,21 +167,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -209,17 +191,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -229,21 +213,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -258,21 +242,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -283,14 +268,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -306,14 +292,14 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: name is a required parameter + - message: spec.forProvider.name is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) - || has(self.initProvider.name)' - - message: policy is a required parameter + || (has(self.initProvider) && has(self.initProvider.name))' + - message: spec.forProvider.policy is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.policy) - || has(self.initProvider.policy)' + || (has(self.initProvider) && has(self.initProvider.policy))' status: description: PolicyStatus defines the observed state of Policy. properties: @@ -322,17 +308,22 @@ spec: id: type: string name: - description: The name of the policy Name of the policy + description: |- + The name of the policy + Name of the policy type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string policy: - description: String containing a Vault policy The policy document + description: |- + String containing a Vault policy + The policy document type: string type: object conditions: @@ -341,14 +332,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -358,8 +358,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -368,6 +369,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/vault.vault.upbound.io_tokens.yaml b/package/crds/vault.vault.upbound.io_tokens.yaml index d9d7047c..8af859f0 100644 --- a/package/crds/vault.vault.upbound.io_tokens.yaml +++ b/package/crds/vault.vault.upbound.io_tokens.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: tokens.vault.vault.upbound.io spec: group: vault.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -37,14 +37,19 @@ spec: description: Token is the Schema for the Tokens API. Writes token for Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -53,13 +58,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -67,177 +73,206 @@ spec: forProvider: properties: displayName: - description: String containing the token display name The display - name of the token. + description: |- + String containing the token display name + The display name of the token. type: string explicitMaxTtl: - description: The explicit max TTL of this token. This is specified - as a numeric string with suffix like "30s" ro "5m" The explicit - max TTL of the token. + description: |- + The explicit max TTL of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The explicit max TTL of the token. type: string metadata: additionalProperties: type: string - description: Metadata to be set on this token Metadata to be associated - with the token. + description: |- + Metadata to be set on this token + Metadata to be associated with the token. type: object + x-kubernetes-map-type: granular namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string noDefaultPolicy: - description: Flag to not attach the default policy to this token + description: |- + Flag to not attach the default policy to this token Flag to disable the default policy. type: boolean noParent: - description: Flag to create a token without parent Flag to create - a token without parent. + description: |- + Flag to create a token without parent + Flag to create a token without parent. type: boolean numUses: - description: The number of allowed uses of this token The number - of allowed uses of the token. + description: |- + The number of allowed uses of this token + The number of allowed uses of the token. type: number period: - description: The period of this token. This is specified as a - numeric string with suffix like "30s" ro "5m" The period of - the token. + description: |- + The period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The period of the token. type: string policies: - description: List of policies to attach to this token List of - policies. + description: |- + List of policies to attach to this token + List of policies. items: type: string type: array + x-kubernetes-list-type: set renewIncrement: - description: The renew increment. This is specified in seconds + description: |- + The renew increment. This is specified in seconds The renew increment. type: number renewMinLease: - description: The minimal lease to renew this token The minimum - lease to renew token. + description: |- + The minimal lease to renew this token + The minimum lease to renew token. type: number renewable: - description: Flag to allow to renew this token Flag to allow the - token to be renewed + description: |- + Flag to allow to renew this token + Flag to allow the token to be renewed type: boolean roleName: - description: The token role name The token role name. + description: |- + The token role name + The token role name. type: string ttl: - description: The TTL period of this token. This is specified as - a numeric string with suffix like "30s" ro "5m" The TTL period - of the token. + description: |- + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The TTL period of the token. type: string wrappingTtl: - description: The TTL period of this token. This is specified as - a numeric string with suffix like "30s" ro "5m" The TTL period - of the wrapped token. + description: |- + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The TTL period of the wrapped token. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: displayName: - description: String containing the token display name The display - name of the token. + description: |- + String containing the token display name + The display name of the token. type: string explicitMaxTtl: - description: The explicit max TTL of this token. This is specified - as a numeric string with suffix like "30s" ro "5m" The explicit - max TTL of the token. + description: |- + The explicit max TTL of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The explicit max TTL of the token. type: string metadata: additionalProperties: type: string - description: Metadata to be set on this token Metadata to be associated - with the token. + description: |- + Metadata to be set on this token + Metadata to be associated with the token. type: object + x-kubernetes-map-type: granular namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string noDefaultPolicy: - description: Flag to not attach the default policy to this token + description: |- + Flag to not attach the default policy to this token Flag to disable the default policy. type: boolean noParent: - description: Flag to create a token without parent Flag to create - a token without parent. + description: |- + Flag to create a token without parent + Flag to create a token without parent. type: boolean numUses: - description: The number of allowed uses of this token The number - of allowed uses of the token. + description: |- + The number of allowed uses of this token + The number of allowed uses of the token. type: number period: - description: The period of this token. This is specified as a - numeric string with suffix like "30s" ro "5m" The period of - the token. + description: |- + The period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The period of the token. type: string policies: - description: List of policies to attach to this token List of - policies. + description: |- + List of policies to attach to this token + List of policies. items: type: string type: array + x-kubernetes-list-type: set renewIncrement: - description: The renew increment. This is specified in seconds + description: |- + The renew increment. This is specified in seconds The renew increment. type: number renewMinLease: - description: The minimal lease to renew this token The minimum - lease to renew token. + description: |- + The minimal lease to renew this token + The minimum lease to renew token. type: number renewable: - description: Flag to allow to renew this token Flag to allow the - token to be renewed + description: |- + Flag to allow to renew this token + Flag to allow the token to be renewed type: boolean roleName: - description: The token role name The token role name. + description: |- + The token role name + The token role name. type: string ttl: - description: The TTL period of this token. This is specified as - a numeric string with suffix like "30s" ro "5m" The TTL period - of the token. + description: |- + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The TTL period of the token. type: string wrappingTtl: - description: The TTL period of this token. This is specified as - a numeric string with suffix like "30s" ro "5m" The TTL period - of the wrapped token. + description: |- + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The TTL period of the wrapped token. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -250,45 +285,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -298,21 +298,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -322,17 +322,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -342,21 +344,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -371,21 +373,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -396,14 +399,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -424,84 +428,100 @@ spec: atProvider: properties: displayName: - description: String containing the token display name The display - name of the token. + description: |- + String containing the token display name + The display name of the token. type: string explicitMaxTtl: - description: The explicit max TTL of this token. This is specified - as a numeric string with suffix like "30s" ro "5m" The explicit - max TTL of the token. + description: |- + The explicit max TTL of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The explicit max TTL of the token. type: string id: type: string leaseDuration: - description: String containing the token lease duration if present - in state file The token lease duration. + description: |- + String containing the token lease duration if present in state file + The token lease duration. type: number leaseStarted: - description: String containing the token lease started time if - present in state file The token lease started on. + description: |- + String containing the token lease started time if present in state file + The token lease started on. type: string metadata: additionalProperties: type: string - description: Metadata to be set on this token Metadata to be associated - with the token. + description: |- + Metadata to be set on this token + Metadata to be associated with the token. type: object + x-kubernetes-map-type: granular namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string noDefaultPolicy: - description: Flag to not attach the default policy to this token + description: |- + Flag to not attach the default policy to this token Flag to disable the default policy. type: boolean noParent: - description: Flag to create a token without parent Flag to create - a token without parent. + description: |- + Flag to create a token without parent + Flag to create a token without parent. type: boolean numUses: - description: The number of allowed uses of this token The number - of allowed uses of the token. + description: |- + The number of allowed uses of this token + The number of allowed uses of the token. type: number period: - description: The period of this token. This is specified as a - numeric string with suffix like "30s" ro "5m" The period of - the token. + description: |- + The period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The period of the token. type: string policies: - description: List of policies to attach to this token List of - policies. + description: |- + List of policies to attach to this token + List of policies. items: type: string type: array + x-kubernetes-list-type: set renewIncrement: - description: The renew increment. This is specified in seconds + description: |- + The renew increment. This is specified in seconds The renew increment. type: number renewMinLease: - description: The minimal lease to renew this token The minimum - lease to renew token. + description: |- + The minimal lease to renew this token + The minimum lease to renew token. type: number renewable: - description: Flag to allow to renew this token Flag to allow the - token to be renewed + description: |- + Flag to allow to renew this token + Flag to allow the token to be renewed type: boolean roleName: - description: The token role name The token role name. + description: |- + The token role name + The token role name. type: string ttl: - description: The TTL period of this token. This is specified as - a numeric string with suffix like "30s" ro "5m" The TTL period - of the token. + description: |- + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The TTL period of the token. type: string wrappingTtl: - description: The TTL period of this token. This is specified as - a numeric string with suffix like "30s" ro "5m" The TTL period - of the wrapped token. + description: |- + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" + The TTL period of the wrapped token. type: string type: object conditions: @@ -510,14 +530,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -527,8 +556,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -537,6 +567,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec diff --git a/package/crds/vault.vault.upbound.io_vaultnamespaces.yaml b/package/crds/vault.vault.upbound.io_vaultnamespaces.yaml index 0df119ee..3cc73774 100644 --- a/package/crds/vault.vault.upbound.io_vaultnamespaces.yaml +++ b/package/crds/vault.vault.upbound.io_vaultnamespaces.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.1 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultnamespaces.vault.vault.upbound.io spec: group: vault.vault.upbound.io @@ -19,12 +19,12 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - jsonPath: .status.conditions[?(@.type=='Synced')].status name: SYNCED type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string - jsonPath: .metadata.annotations.crossplane\.io/external-name name: EXTERNAL-NAME type: string @@ -38,14 +38,19 @@ spec: namespaces for Vault properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,13 +59,14 @@ spec: properties: deletionPolicy: default: Delete - description: 'DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. This field is planned to be deprecated - in favor of the ManagementPolicies field in a future release. Currently, - both could be set independently and non-default values would be - honored if the feature flag is enabled. See the design doc for more - information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223' + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 enum: - Orphan - Delete @@ -70,83 +76,244 @@ spec: customMetadata: additionalProperties: type: string - description: Custom metadata describing this namespace. Value - type is map[string]string. Requires Vault version 1.12+. Custom - metadata describing this namespace. Value type is map[string]string. + description: |- + Custom metadata describing this namespace. Value type + is map[string]string. Requires Vault version 1.12+. + Custom metadata describing this namespace. Value type is map[string]string. type: object + x-kubernetes-map-type: granular namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string + namespaceRef: + description: Reference to a VaultNamespace in vault to populate + namespace. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + namespaceSelector: + description: Selector for a VaultNamespace in vault to populate + namespace. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object path: - description: The path of the namespace. Must not have a trailing - /. Namespace path. + description: |- + The path of the namespace. Must not have a trailing /. + Namespace path. type: string pathFq: - description: The fully qualified path to the namespace. Useful - when provisioning resources in a child namespace. The path is - relative to the provider's namespace argument. The fully qualified - namespace path. + description: |- + The fully qualified path to the namespace. Useful when provisioning resources in a child namespace. + The path is relative to the provider's namespace argument. + The fully qualified namespace path. type: string type: object initProvider: - description: THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. InitProvider - holds the same fields as ForProvider, with the exception of Identifier - and other resource reference fields. The fields that are in InitProvider - are merged into ForProvider when the resource is created. The same - fields are also added to the terraform ignore_changes hook, to avoid - updating them after creation. This is useful for fields that are - required on creation, but we do not desire to update them after - creation, for example because of an external controller is managing - them, like an autoscaler. + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. properties: customMetadata: additionalProperties: type: string - description: Custom metadata describing this namespace. Value - type is map[string]string. Requires Vault version 1.12+. Custom - metadata describing this namespace. Value type is map[string]string. + description: |- + Custom metadata describing this namespace. Value type + is map[string]string. Requires Vault version 1.12+. + Custom metadata describing this namespace. Value type is map[string]string. type: object + x-kubernetes-map-type: granular namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string + namespaceRef: + description: Reference to a VaultNamespace in vault to populate + namespace. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + namespaceSelector: + description: Selector for a VaultNamespace in vault to populate + namespace. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object path: - description: The path of the namespace. Must not have a trailing - /. Namespace path. + description: |- + The path of the namespace. Must not have a trailing /. + Namespace path. type: string pathFq: - description: The fully qualified path to the namespace. Useful - when provisioning resources in a child namespace. The path is - relative to the provider's namespace argument. The fully qualified - namespace path. + description: |- + The fully qualified path to the namespace. Useful when provisioning resources in a child namespace. + The path is relative to the provider's namespace argument. + The fully qualified namespace path. type: string type: object managementPolicies: default: - '*' - description: 'THIS IS AN ALPHA FIELD. Do not use it in production. - It is not honored unless the relevant Crossplane feature flag is - enabled, and may be changed or removed without notice. ManagementPolicies - specify the array of actions Crossplane is allowed to take on the - managed and external resources. This field is planned to replace - the DeletionPolicy field in a future release. Currently, both could - be set independently and non-default values would be honored if - the feature flag is enabled. If both are custom, the DeletionPolicy - field will be ignored. See the design doc for more information: - https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 - and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md items: - description: A ManagementAction represents an action that the Crossplane - controllers can take on an external resource. + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. enum: - Observe - Create @@ -159,45 +326,10 @@ spec: providerConfigRef: default: name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. properties: name: description: Name of the referenced object. @@ -207,21 +339,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -231,17 +363,19 @@ spec: - name type: object publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. properties: configRef: default: name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. properties: name: description: Name of the referenced object. @@ -251,21 +385,21 @@ spec: properties: resolution: default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. enum: - Required - Optional type: string resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. enum: - Always - IfNotPresent @@ -280,21 +414,22 @@ spec: annotations: additionalProperties: type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. type: object labels: additionalProperties: type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. type: object type: - description: Type is the SecretType for the connection secret. + description: |- + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. type: string type: object @@ -305,14 +440,15 @@ spec: - name type: object writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. properties: name: description: Name of the secret. @@ -328,10 +464,10 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: path is a required parameter + - message: spec.forProvider.path is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.path) - || has(self.initProvider.path)' + || (has(self.initProvider) && has(self.initProvider.path))' status: description: VaultNamespaceStatus defines the observed state of VaultNamespace. properties: @@ -340,34 +476,39 @@ spec: customMetadata: additionalProperties: type: string - description: Custom metadata describing this namespace. Value - type is map[string]string. Requires Vault version 1.12+. Custom - metadata describing this namespace. Value type is map[string]string. + description: |- + Custom metadata describing this namespace. Value type + is map[string]string. Requires Vault version 1.12+. + Custom metadata describing this namespace. Value type is map[string]string. type: object + x-kubernetes-map-type: granular id: description: The fully qualified path to the namespace, including the provider namespace and a trailing slash. type: string namespace: - description: The namespace to provision the resource in. The value - should not contain leading or trailing forward slashes. The - namespace is always relative to the provider's configured namespace. - Available only for Vault Enterprise. Target namespace. (requires - Enterprise) + description: |- + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + Target namespace. (requires Enterprise) type: string namespaceId: - description: Vault server's internal ID of the namespace. Namespace - ID. + description: |- + Vault server's internal ID of the namespace. + Namespace ID. type: string path: - description: The path of the namespace. Must not have a trailing - /. Namespace path. + description: |- + The path of the namespace. Must not have a trailing /. + Namespace path. type: string pathFq: - description: The fully qualified path to the namespace. Useful - when provisioning resources in a child namespace. The path is - relative to the provider's namespace argument. The fully qualified - namespace path. + description: |- + The fully qualified path to the namespace. Useful when provisioning resources in a child namespace. + The path is relative to the provider's namespace argument. + The fully qualified namespace path. type: string type: object conditions: @@ -376,14 +517,23 @@ spec: description: A Condition that may apply to a resource. properties: lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. format: date-time type: string message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer reason: description: A Reason for this condition's last transition from one status to another. @@ -393,8 +543,9 @@ spec: False, or Unknown? type: string type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. type: string required: - lastTransitionTime @@ -403,6 +554,16 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer type: object required: - spec